saas-seeder

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly tells the agent to ask for DB credentials, encryption/API keys and to create/update a .env file (and register provider keys), which requires embedding secret values verbatim in generated files/outputs, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The GitLab CI snippet includes "curl -sS https://getcomposer.org/installer | php", which fetches and immediately executes remote code during setup (composer installation) and is relied on by the workflow to install dependencies, so it meets the criteria for a runtime-executed external dependency (https://getcomposer.org/installer).