metabase-modular-embedding-to-modular-embedding-sdk-upgrade

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires the agent to read project config (e.g., window.metabaseConfig) and produce exact per-file diffs that migrate those values into MetabaseProvider config, which would force the LLM to reproduce any embedded secrets (API keys, JWTs, tokens) verbatim in its output.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs a curl at runtime to fetch version-specific docs (https://www.metabase.com/docs/v0.{VERSION}/llms-embedding-full.txt), which are described as "optimized for LLM consumption" and are read into the agent context to guide the migration, meaning remote content fetched at runtime can directly control the agent's instructions.