mcp-app-dev-setup

Fail

Audited by Snyk on Jun 17, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The prompt explicitly asks the agent to obtain cluster credentials from the user/1Password and populate/use them in a .env file and validation commands, which requires handling and potentially embedding secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs "git clone https://github.com/elastic/forge.git ../forge" and then installs and executes code from that repository (pip install -e ".[dev]" and python3 -m forge.cli), so the external GitHub repo is fetched at runtime and its code is executed as a required dependency.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 17, 2026, 11:18 AM
Issues
2
Security Audit — snyk — mcp-app-dev-setup