capawesome-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill includes token-based authentication examples that pass a token directly on the command line (e.g., npx @capawesome/cli login --token <TOKEN>), which encourages embedding secret values verbatim in generated commands and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill documents a command that ingests arbitrary external web content—specifically the apps:liveupdates:register command which accepts a user-provided --url (see references/commands.md and references/live update docs) to register a self-hosted HTTPS bundle—so the agent/workflow will rely on and act upon untrusted third-party content supplied via arbitrary URLs.