magento-setup
Fail
Audited by Snyk on Mar 19, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The skill's installer examples include plaintext secret flags (e.g., --db-password, --admin-password) which encourage embedding secrets directly into generated CLI commands, creating a high exfiltration risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's installation pattern instructs running composer create-project --repository-url=https://repo.magento.com/ at runtime, which fetches and installs remote PHP code (executed locally) and is required for the setup, so https://repo.magento.com/ is a runtime dependency that can execute remote code.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata