cmc-api-crypto

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples show curl commands that place the API key directly in request headers (e.g., -H "X-CMC_PRO_API_KEY: your-api-key"), which implies the agent would need to embed a user's API key verbatim into generated commands/requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill routinely instructs the agent to call public CoinMarketCap API endpoints (e.g., /v2/cryptocurrency/info and other endpoints shown in SKILL.md and references/info.md) and to read/interpret response fields such as description and urls (website, reddit, message_board, technical_doc, chat), which are third-party/untrusted content that could contain or point to user-generated instructions that materially influence subsequent decisions or actions.