schema0-dev

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires parsing the CLI-returned JSON and then embedding the long device_code value verbatim into a command (schema0 login --device-code <device_code>), which forces the agent to handle and output a secret token directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs a runtime installation command that fetches and executes remote code via curl -fsSL https://bun.sh/install | bash to install the required bun runtime, so this external URL is used at runtime, executes remote code, and is a required dependency.