gitnexus-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt documents a --api-key flag and examples that pass API keys on the command line (and mentions saving keys to config.json), which encourages the agent to accept and embed secret values verbatim in commands/outputs, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's mcp.json invokes "npx -y gitnexus@latest mcp", which at runtime fetches and executes the gitnexus package from the npm registry (e.g., https://registry.npmjs.org/gitnexus), so external code is executed and required for the skill to run.