neo4j-getting-started-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to create/write a .env containing NEO4J_URI/USERNAME/PASSWORD and to record NEO4J_URI in progress/README (and to "write .env from user creds"), which requires the LLM to include secret values verbatim in generated files/output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests open/public third-party content — e.g., downloading the neo4j-mcp binary from GitHub (references/0-prerequisites.md), calling the Aura REST API and live OpenAPI spec (references/2-provision.md / scripts/provision_aura.py), and reading remote CSVs/URLs for imports (references/4-load.md) — and those fetched responses and files are parsed and used to make provisioning, region-selection, import, and query-validation decisions, so untrusted external content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads and runs remote executables and scripts at runtime — e.g. the neo4j-mcp binary from https://github.com/neo4j/mcp/releases/latest/download/neo4j-mcp-${PLATFORM}-${ARCH} (downloaded, chmod'd and executed in prerequisites) and a remote Cypher script piped from https://raw.githubusercontent.com/neo4j-graph-examples/movies/main/data/movies.cypher into cypher-shell during the demo load path, which fetches and executes external code/data required by those runtime paths.