coinank-openapi

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt directs the agent to read COINANK_API_KEY from the environment and inject it into curl request headers, which requires including the secret value (or placing it on the command line) in generated output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's runtime workflow (SKILL.md step 5) instructs the agent to make network requests to the public API https://open-api.coinank.com and the README explicitly documents /api/news/getNewsList and /api/news/getNewsDetail endpoints that return third‑party news content the agent will fetch and interpret, exposing it to untrusted external content.