webflow-ci-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes commands that instruct placing actual API tokens directly on the command line (gh secret set --body "your-test-token") and examples that would require copying tokens verbatim, which is an insecure credential-handling pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly calls the Webflow API (e.g., the curl check in "Step 3: Integration Test Workflow" and the tests that call webflow.sites.list and webflow.collections.list in "Step 4" and "Step 5"), which ingests live Webflow site and CMS data (third‑party/user‑generated) and uses that data to drive tests, schema validation, and publish actions—meeting the criteria for untrusted content that can influence behavior.