typo3-ddev

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill prompt includes an explicit plaintext credential pair ("admin / Joh316!!") and references CLI flags (e.g., --admin-user-password) which encourage embedding that secret verbatim into commands or config, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs external Docker images at runtime (e.g., ghcr.io/typo3-documentation/render-guides:latest and valkey/valkey:8-alpine), which are fetched from remote registries and executed as code the skill relies on (documentation rendering, caching services), so these are runtime external dependencies that execute remote code.