freebuff2api-openai-proxy

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime deployment pulls and runs a remote Docker image (ghcr.io/quorinex/freebuff2api:latest) — and optionally fetches source from https://github.com/Quorinex/Freebuff2API.git — both of which download and execute remote code the skill relies on.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the authToken value shown in the credentials.json example:
• "fa82b5c1-e39d-4c7a-961f-d2b3c4e5f6a7" — this is a literal, non-truncated, random-looking token (UUID format) presented as the stored authToken and explicitly described as "Copy the authToken value — this is your AUTH_TOKENS value." That meets the definition of a hardcoded, usable credential and should be treated as a secret.

Ignored items and why:

• "PROXY_API_KEYS=my-secret-key", "API_KEYS": ["secret-key-for-team", "another-key-for-ci"], "FREEBUFF_TOKENS=token1,token2,token3", "AUTH_TOKENS": ["token1", "token2"], "token-account-1", "token1,token2,token3", "my-secret-key", and similar examples — these are obvious documentation placeholders or low-entropy example keys and thus explicitly excluded per the rules.
• Values like "unused" in code examples, environment variable names, and hostnames (e.g., proxy.company.com) are not secrets.