building-vulnerability-dashboard-with-defectdojo

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that embed API keys/tokens and plaintext passwords in curl headers, environment variables, and config snippets (e.g., Authorization: Token ${API_KEY}, DD_DATABASE_PASSWORD, DD_SECRET_KEY, Jira password), which would require the agent to handle or output secret values verbatim if real credentials are substituted.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The deployment instructions explicitly run "git clone https://github.com/DefectDojo/django-DefectDojo.git" and then execute ./dc-up-d.sh from that repository, which fetches remote code and runs it as a required deployment step, so the URL is used at runtime to obtain and execute external code.