dokploy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly shows passing the API key as a CLI argument (--key "your-api-key") and notes the required x-api-key header, which can lead an LLM to include secret values verbatim even though env-var usage is also mentioned.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's api_request helper (scripts/dokploy.sh) fetches JSON from a user-configurable DOKPLOY_API_URL (e.g., /project.all, /deployment.logs, /application.byId) and the CLI scripts parse those untrusted API responses (project descriptions, deployment logs, IDs, env vars) and use them in required workflows and follow-up actions, so third‑party content can materially influence behavior.