alibabacloud-devops
Fail
Audited by Snyk on Jun 25, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). 说明中示例要求将 YUNXIAO_ACCESS_TOKEN 以 --env YUNXIAO_ACCESS_TOKEN=your-token 的形式直接传入命令,这会使模型在生成命令或代码时需要包含密钥的明文值,从而存在凭证外泄风险。
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill invokes npx to fetch-and-run the remote package alibabacloud-devops-mcp-server at runtime (e.g., fetched from the npm registry like https://registry.npmjs.org/alibabacloud-devops-mcp-server), which is a required external dependency that executes remote code during skill runtime.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata