clawdtm-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt exposes example API keys and explicitly instructs agents to save and use the API key in Authorization headers and JSON payloads (e.g., curl -H "Authorization: Bearer YOUR_API_KEY"), which requires the LLM to embed secret values verbatim in generated commands/outputs, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow in SKILL.md explicitly instructs the agent to fetch and read user-generated public content from ClawdTM (e.g., https://clawdtm.com/api/v1/skills and https://clawdtm.com/api/v1/skills/reviews), so untrusted third‑party reviews/pages could influence the agent's decisions and actions.