prisma-postgres

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes an example that passes an API key directly on the command line (prisma postgres link --api-key "<your-api-key>") and references connection strings/DATABASE_URL, which encourages embedding secret values verbatim in commands or outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill directs users to run "npx create-db@latest" (and aliases like npx create-pg@latest), which fetches and executes remote code from the npm registry at runtime (see https://www.npmjs.com/package/create-db), so it relies on executing external code during skill operation.