openapi2cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's examples explicitly show embedding API keys and bearer tokens in shell commands and CLI flags (e.g., export MY_CLI_API_KEY="sk-..." and python my-cli.py --api-key "sk-..."), which requires the agent to include secret values verbatim in generated output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's SKILL.md explicitly instructs the agent to "generate" a CLI from OpenAPI specs hosted at arbitrary URLs (e.g., "uvx openapi2cli generate https://.../openapi.json" and the GitHub raw URL example), so the agent fetches and interprets untrusted third-party API specs that can materially influence generated commands and subsequent actions.