flutter-use-http-package

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs embedding an Authorization header directly in request code (e.g., HttpHeaders.authorizationHeader: 'Bearer your_token_here'), which encourages placing secret tokens verbatim in generated code/outputs and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md workflow and example code explicitly fetch and parse JSON from an open public URL (e.g., the fetchPhotos example calling https://jsonplaceholder.typicode.com/photos and the "Use when you need to fetch from or send data to a REST API" guidance), so the agent would ingest and act on untrusted third-party content as part of its normal workflow.