square-post

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to prompt the user for their X-Square-OpenAPI-Key and "store provided keys" by updating the Accounts section in the file (and shows example requests with the API key header), which requires handling and writing the secret verbatim in the agent's output/context, creating exfiltration risk.