dokploy-deploy

The file is a benign setup helper in intent but contains several security weaknesses that materially increase supply-chain and credential-exposure risk: disabled TLS verification for API calls, plaintext persistence of API keys to ~/.claude/mcp.json, and configuration that causes runtime execution of an unpinned npm package (npx) with the API key available in environment variables. There is no direct evidence of malware within this Python source, but the combination of behaviors elevates the security risk and warrants remediation before use.