mapping-codebases

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly includes "constants and defines" and "Other files (JSON, YAML, configs)" in generated _MAP.md output, which would cause any hard-coded API keys, tokens, or passwords present in the repository to be included verbatim in the LLM's output, creating a direct exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's _bootstrap_parsers() calls curl at runtime to fetch the parser manifest and parser tarball from GitHub (e.g. https://github.com/kreuzberg-dev/tree-sitter-language-pack/releases/download/v{_tslp_version}/parsers.json and the associated tarball URL), which downloads native .so parser libraries that are then extracted/loaded and thus execute remote code as a required fallback dependency.