claude-authenticity

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly asks for an API key and shows editing/placing it into the script as API_KEY (and uses it in HTTP header construction), which encourages collecting and embedding secrets verbatim in code/requests, creating a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill posts probes to a user-specified API endpoint (ENDPOINT in SKILL.md) via the _call/httpx client and directly parses the provider's responses (answer/thinking and extract_system_prompt probes), thus ingesting untrusted third‑party model outputs that materially drive the authenticity verdicts and follow-up actions.