secure-mule-app

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the user for an encryption key, reads sensitive values from files, and instructs running encryption commands and updating configs that embed the raw key and plaintext secrets verbatim (e.g., passing and on the java command line and adding -M-Dencryption.key), which forces the LLM to handle and output secret values directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs at runtime to download and then execute a remote JAR (https://docs.mulesoft.com/mule-runtime/4.4/_attachments/secure-properties-tool.jar) which directly runs code and is required for the encryption steps, so this external URL is a high-confidence runtime code-execution dependency.