zeabur-update-service

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs adding/updating environment variables by passing key="KEY=value" on the command line and explicitly mentions changing credentials, which requires the agent to include secret values verbatim in generated commands (high exfiltration risk).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires running npx zeabur@latest at runtime, which fetches and executes remote code from the npm registry (e.g., https://registry.npmjs.org/zeabur) and is presented as a required dependency, so it executes external code during runtime.