appdeploy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill shows and requires using a raw API key (saved in .appdeploy and inserted into curl Authorization headers like "Authorization: Bearer {api_key}"), which forces the agent to include secret values verbatim in commands/output.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill makes runtime JSON-RPC calls to https://api-v2.appdeploy.ai/mcp (and requests an API key from https://api-v2.appdeploy.ai/mcp/api-key), and explicitly requires calling get_deploy_instructions which returns constraints/instructions the agent must follow, meaning fetched remote content can directly control agent prompts/behavior.