dv-connect

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly writes CLIENT_SECRET (and CLIENT_ID) into a generated .env file and presents a "service principal" option (implying the agent will collect and embed those credentials), so the agent would need to handle and emit secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and parses live, external Dataverse environment data (e.g., "pac org who"/"pac env list" in Step 2, the Power Apps API calls in references/mcp-configuration.md Step 3b, and later MCP/list_tables responses) and uses those untrusted, user‑controlled endpoints to decide configuration and invoke tool actions, so third‑party content can influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes external package installs and runtime fetches that execute remote code — notably "npm install -g @microsoft/dataverse@latest" and "npx -y @microsoft/dataverse@latest mcp "{USER_URL}"" (downloaded from the npm registry), and also recommends "pip install --upgrade ..." (from PyPI), which are runtime external dependencies that execute remote code.