commandbox-deploying

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes multiple examples that embed plaintext secrets directly into commands and environment variables (e.g., cfconfig_adminPassword=mySecret, MYSQL_ROOT_PASSWORD=root, cfconfig set adminPassword=mySecret), which encourages or requires emitting secret values verbatim in generated commands/configs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The cloud-init and install steps fetch and install remote packages (curl -fsSl https://downloads.ortussolutions.com/debs/gpg and the apt repo https://downloads.ortussolutions.com/debs/noarch), and CI/workflow steps pull/execute external tooling (Ortus-Solutions/setup-commandbox@v2.0.0 and https://github.com/ortus-solutions/heroku-buildpack-commandbox.git), which are runtime fetches that install/execute remote code required by the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill includes explicit sudo commands and instructions to modify system files (apt sources, install packages, create systemd service files, enable/start services), which require elevated privileges and change the host system state, so it should be flagged.