declarative-agent-developer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs the agent to read M365_TITLE_ID from env/.env.local and embed it verbatim into the user-facing test URL, forcing the LLM to output an environment value (which may be sensitive) directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and consume external, user-provided URLs (e.g., OpenAPI specs via --openapi-spec-location in references/api-plugins.md and OAuth well-known discovery in references/authentication.md), causing the agent to read and act on untrusted third-party content which can influence tool behavior and plugin configuration.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly shows and requires using an OpenAPI spec URL (e.g., https://repairshub.azurewebsites.net/openapi.json) as the --openapi-spec-location for the ATK CLI—which will be fetched at runtime and whose specification/metadata can be incorporated into the generated plugin manifest (description_for_model / functions) and thus directly influence agent prompts/behavior—so this is a runtime external dependency that can control the agent.