website-to-vite-scraper

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly embeds API tokens in config/URLs (e.g., "APIFY_TOKEN": "your-apify-api-token" and https://mcp.apify.com?token=YOUR_TOKEN), which instructs placing secret values verbatim into JSON/requests and thus would require the LLM to handle/output secrets directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly fetches and ingests arbitrary public websites (via the required "url" workflow parameter and providers like Apify RAG Browser, Playwright, Crawl4AI, and Firecrawl which follow links and extract HTML/markdown), so it will read untrusted third‑party/user-generated web content as part of its workflow and could enable indirect prompt injection.