performing-android-app-static-analysis-with-mobsf

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly shows retrieving the MobSF REST API key and embedding it into curl commands as "Authorization: <API_KEY>" (and instructs obtaining that key), which would require the agent to handle and paste secret values verbatim into generated commands even though a safer env-var CI example is also given.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's Step 1 instructs pulling and running the Docker image opensecurity/mobile-security-framework-mobsf:latest (docker run opensecurity/mobile-security-framework-mobsf:latest), which fetches and executes remote code as a required runtime dependency.