mage-remote-run

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit examples that pass API keys, bearer tokens, client secrets, and webhook header secrets directly on the command line or in headers (e.g., --client-secret "my-client-secret", --token "integration_access_token", Authorization: Bearer , --headers '... "value":"secret123"'), which requires an LLM to handle or echo secret values verbatim and thus presents an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a commerce-administration CLI specifically for Adobe Commerce/Magento and exposes explicit commands that modify monetary balances: e.g., "mage-remote-run company credit increase 1 500.00" and "mage-remote-run company credit decrease 1 100.00". Those are concrete, purpose-built commands to adjust credit (financial) state in the platform rather than generic tooling like a browser or generic HTTP caller. Because it includes specific, built-in commands to change monetary/credit balances, it grants direct financial execution authority.