mcp-app-dev-setup
Fail
Audited by Snyk on Jun 17, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The prompt explicitly asks the agent to obtain cluster credentials from the user/1Password and populate/use them in a .env file and validation commands, which requires handling and potentially embedding secret values verbatim.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs "git clone https://github.com/elastic/forge.git ../forge" and then installs and executes code from that repository (pip install -e ".[dev]" and python3 -m forge.cli), so the external GitHub repo is fetched at runtime and its code is executed as a required dependency.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata