coinstats-nft

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt's auth example shows passing an API key directly on the command line (coinstats login --api-key <key>), which encourages embedding secrets verbatim in generated commands and thus risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly defines commands (e.g., "coinstats nft trending", "coinstats nft collection", "coinstats nft asset") that fetch NFT and wallet data from the third‑party CoinStats service, and that NFT/marketplace metadata is user-generated/untrusted content the agent will read and could influence its responses or actions.