aviation-installer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the user to paste their Aviationstack API key into the agent (setting {API_KEY}), which implies the LLM will handle and may embed that secret verbatim into SQL/commands or sub-skill outputs—creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer creates and uses a Git Repository Stage with ORIGIN 'https://github.com/Snowflake-Labs/sfguide-aviation-ops-intelligence.git' and at runtime reads .cortex/skills/*.SKILL.md and other files (e.g., airlines.csv) from that stage, so remote GitHub content is fetched during execution and directly controls the installer's instructions/behavior.