modelslab-webhooks

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt's examples show API keys passed directly in request payloads (e.g., "key": api_key and usage with "your_api_key"), which encourages embedding user secrets verbatim into generated code/requests and thus requires the LLM to handle/output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill exposes the agent to untrusted third-party content by accepting ModelsLab webhook callbacks at endpoints like /webhook/modelslab (and ngrok-exposed URLs) which deliver JSON including output URLs and meta.prompt from https://modelslab.com that the agent reads and processes.