pachca-users

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the agent to ask the user for a Pachca token and shows using that token in CLI commands (e.g., --token and export ), which requires the LLM to receive and potentially output the secret verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill instructs running "npx @pachca/cli" (and optionally "npm install -g @pachca/cli"), which at runtime fetches and executes remote npm package code (@pachca/cli), so it is a runtime external dependency that executes remote code.