gitnexus-cli
Fail
Audited by Snyk on Jun 23, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt includes a --api-key command-line flag (and examples imply passing an LLM API key on the command line), which encourages embedding API keys verbatim in commands/outputs and thus risks secret exfiltration.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The README instructs regenerating the runner with commands like "npx gitnexus analyze" (which fetches and executes the gitnexus package from the npm registry, e.g. https://registry.npmjs.org/gitnexus), and that fetched code generates CLAUDE.md/AGENTS.md context files used to control agent prompts, so remote code fetched at runtime can directly control agent instructions.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata