pachca-read-members

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the agent to ask the user for a Pachca token and to include it in CLI invocations (via --token or export), which requires the LLM to receive and/or emit secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs running npx @pachca/cli (and npm install -g @pachca/cli), which at runtime fetches and executes code from the npm registry (e.g., registry.npmjs.org for the @pachca/cli package), so this is a required external dependency that executes remote code.