ledda

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to read API keys from .ledda/.credentials and embed them verbatim as Bearer tokens in Authorization headers when calling the Ledda API, which requires the LLM to handle and output secret values directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill fetches documentation at runtime from the Ledda API endpoints (e.g. https://app.ledda.ai/docs/version and https://app.ledda.ai/docs/md/reference and https://app.ledda.ai/docs/md/guide), and that fetched content is read and used to guide the agent's behavior, so these external URLs can directly control prompts.