configure-api-gateway

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes concrete secret values and examples that embed credentials verbatim (e.g., "mobile-secret-key-123" in kong config and curl headers, and curl -u user1:password), which instructs the agent to output or replicate secrets directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes a runtime curl that downloads and installs/executes the decK binary from https://github.com/Kong/deck/releases/download/v1.28.0/deck_1.28.0_linux_amd64.tar.gz which is a remote executable fetched and run as a required dependency for configuring Kong (deck sync), so it meets the criteria for a risky external code-fetch/execute dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly includes privileged operations (e.g., "sudo mv deck /usr/local/bin/") and instructs installing binaries and applying system-level changes (kubectl apply) that modify the host/cluster state, so it encourages actions that require elevated privileges.