octocode-install

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs collecting and embedding GitHub personal access tokens (e.g., "GITHUB_TOKEN": "ghp_xxx") into configuration and asks the user to paste a PAT, which requires handling and outputting secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill invokes npx to run remote packages (e.g., "npx octocode-cli" and the MCP server "npx octocode-mcp@latest"), which fetch and execute code at runtime from the npm registry (e.g., https://www.npmjs.com/package/octocode-cli and https://www.npmjs.com/package/octocode-mcp), so it has a required runtime external dependency that executes remote code.