ml-supply-chain

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes a fetch_news function that accepts an api_key and embeds it directly into HTTP request parameters (and an example calling assess_supplier_risk(..., api_key='your_api_key')), which encourages asking for and inserting secrets verbatim into requests/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's "Supplier Risk Analysis from News" workflow (fetch_news in SKILL.md) explicitly fetches articles from the public News API (newsapi.org) and then analyzes that untrusted third‑party article text to produce risk scores, so external content can directly influence model decisions and outputs.