pp-fedex

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill documents an auth command that accepts client-id/client-secret flags and enforces non-interactive agent mode (every input must be a flag), which encourages embedding secrets verbatim on the command line and thus creates an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill requires installing and running remote code at runtime via commands that fetch and execute external packages (e.g., go install github.com/mvanhorn/printing-press-library/library/commerce/fedex/cmd/fedex-pp-cli@latest and npx -y @mvanhorn/printing-press install fedex), so these repository/package URLs are runtime dependencies that execute fetched code.