cloudflare-images

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that instruct embedding API tokens/account IDs directly (e.g., curl -H 'Authorization: Bearer <API_TOKEN>' and "Edit with your account ID and API token"), which requires placing secret values verbatim into commands/code and thus poses exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill ingests arbitrary public content — e.g., "Upload via URL" and the API examples in SKILL.md and references/api-reference.md, the batch/template code (templates/batch-upload.ts -> migrateImagesFromURLs / batchUploadViaURL) and the /cdn-cgi/image/ URL transformation examples explicitly fetch and transform images from arbitrary external URLs, meaning the agent will read/interpret untrusted, third‑party user-provided content.