gitnexus-cli

Fail

Audited by Snyk on Jun 23, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes a --api-key command-line flag (and examples imply passing an LLM API key on the command line), which encourages embedding API keys verbatim in commands/outputs and thus risks secret exfiltration.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.70). The README instructs regenerating the runner with commands like "npx gitnexus analyze" (which fetches and executes the gitnexus package from the npm registry, e.g. https://registry.npmjs.org/gitnexus), and that fetched code generates CLAUDE.md/AGENTS.md context files used to control agent prompts, so remote code fetched at runtime can directly control agent instructions.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 23, 2026, 06:15 PM
Issues
2
Security Audit — snyk — gitnexus-cli