webflow-deploy-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes insecure examples that place secret values directly on the command line or pipe them into CLI commands (e.g., fly secrets set WEBFLOW_API_TOKEN=your-prod-token, echo "your-prod-token" | gcloud secrets create), which encourages embedding secrets verbatim and could cause an agent to output them.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The Vercel webhook handler (api/webhooks/webflow.ts) explicitly accepts and processes Webflow webhook payloads (e.g., form_submission, ecomm_new_order) — user-generated/untrusted content from Webflow — which the skill is required to read and act on via handleFormSubmission/handleNewOrder, so third-party data can influence runtime behavior.