findall-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains multiple examples that embed API keys and bearer tokens directly in code and headers (e.g., api_key="your_api_key", "Authorization": "Bearer token", "API-Key": "secret"), which encourages asking for or inserting secret values verbatim into generated code/requests and therefore creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The FindAll API explicitly discovers and ingests content from public web sources and returns candidate evidence (candidate.basis with citations, URLs, and excerpts in the GET /v1beta/findall/runs/{id}/result responses) and supports MCP server URL enrichments, so the agent will read and interpret untrusted third‑party web content.