add-icon

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly extracts Font Awesome kit IDs from project files, passes them as command-line arguments to scripts (./scripts/fetch-kit.py --kit-id ) and writes the kit ID into .font-awesome.md, which requires the agent to handle and output token values verbatim, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's scripts/fetch-kit.py is run at runtime and fetches the kit JS from https://kit.fontawesome.com/.js (and queries https://api.fontawesome.com) and then parses that remote configuration to determine integration method, license, available families, and other decisions that directly influence agent behavior, so these external URLs control the agent's instructions.