zeabur-update-service

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's workflow instructs adding/updating environment variables via CLI flags like --key "KEY=value" (and references changing credentials), which requires the agent to place secret values verbatim into generated commands, creating exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires invoking "npx zeabur@latest" at runtime, which fetches and executes code from the npm registry (remote package content) and thus is a runtime external dependency that executes remote code.