packer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes plaintext secrets in example HCL and a variables file (e.g., proxmox_api_token_secret and ssh_password) and demonstrates using a var-file with packer, which encourages embedding real secret values verbatim in generated configs/commands.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The HCL declares a required plugin source "github.com/hashicorp/proxmox", which packer will fetch at runtime via packer init and execute as plugin code (a required external dependency), so this external URL is a runtime dependency that executes remote code: github.com/hashicorp/proxmox