SkillsMP API

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user for their API key and shows commands (python scripts/setup.py <API_KEY>) and .env contents that embed the API key, requiring the LLM to receive and potentially output the secret verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's scripts (scripts/search.py, scripts/ai_search.py, and scripts/install_helper.py) make HTTP requests to the public SkillsMP API endpoints (e.g., https://skillsmp.com/api/v1/skills/search and /api/v1/skills/ai-search) and ingest/display marketplace entries (skill names, descriptions, authors, GitHub URLs) which are third‑party/user‑provided content that the agent reads and acts on.