zapier-workflows

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks users to provide webhook URLs and authorization tokens, stores them in plain-text references, and instructs the agent to include those secrets verbatim in curl/claude commands and files, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill invokes external search/aggregation MCP tools (e.g., Perplexity via Zapier MCP — see "mcp__zapier__perplexity_chat_completion" and examples in Execution Pattern / Decision Logic where it "calls Perplexity Search" and "analyzes results"), so the agent ingests and interprets open/public third‑party web content that could be untrusted or user-generated.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill issues runtime POST requests to user-provided Zapier webhook URLs (e.g., https://hooks.zapier.com/hooks/catch/[your-url]) which execute remote Zapier workflows and are required for the skill's multi-step Zap functionality, so external URLs are used at runtime to execute remote code.