world-labs-image-prompt

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed API keys directly into commands and code (e.g., curl -H "WLT-Api-Key: YOUR_API_KEY" and a Python function that takes an api_key and places it in request headers), which requires the LLM to handle or emit secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports loading images from arbitrary public URLs via the "Option 2: From Public URL" / "uri" field (e.g., https://example.com/my-image.jpg), so the agent will fetch and interpret untrusted third‑party image content as part of its workflow.