magento-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's example installer commands include placeholders for --db-password and --admin-password (and other secret fields) passed directly as CLI flags, which would require the LLM to insert secret values verbatim into generated commands/outputs, creating exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installation pattern instructs running composer create-project --repository-url=https://repo.magento.com/ at runtime, which fetches and installs remote PHP code (executed locally) and is required for the setup, so https://repo.magento.com/ is a runtime dependency that can execute remote code.