render-migrate-from-heroku

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt instructs the agent to ask for or pull Heroku config (including connection strings and secrets) and to apply or use those values (e.g., via update_environment_variables or database dump/restore commands), which requires handling and potentially emitting secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs users to run a network installation command that fetches and executes a remote installer at runtime via "curl -fsSL https://raw.githubusercontent.com/render-oss/cli/main/bin/install.sh | sh", which downloads and runs remote code the workflow depends on for validation and migration steps.