wp-plugin-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill requires reading uploaded plugin files and producing exact before/after code snippets and line-specific findings, so if those files contain hard-coded API keys or secrets the LLM would be forced to reproduce them verbatim in the report, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The setup script (scripts/setup_tools.sh) downloads and executes the Composer installer at runtime from https://getcomposer.org/installer (php composer-setup.php), which fetches and runs remote code required for the tool installation.