subgraph

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes explicit CLI usage that passes a deploy key placeholder (yarn graph auth --studio <DEPLOY_KEY>) and a hardcoded DB password in the docker config, which encourages embedding secrets verbatim into commands/configs (an insecure pattern).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs docker compose which will pull and execute remote container images (e.g., graphprotocol/graph-node:v0.41.1, ipfs/kubo:v0.39.0, and postgres) at runtime and those images are required for the local Graph Node to operate, meaning remote code is fetched and executed as a dependency.