fly-io

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains examples that embed secrets directly in commands and URLs (e.g., DATABASE_URL=postgres://user:pass@host:5432/dbname, flyctl secrets set APP_KEYS="your-app-keys") and shows patterns that would cause an assistant to insert real API tokens/passwords verbatim into generated commands or code, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The SKILL instructs running "curl -L https://fly.io/install.sh | sh", which fetches and executes remote code at runtime to install the required flyctl CLI (a required dependency), so this URL is a runtime external dependency that executes remote code: https://fly.io/install.sh