trading-signals

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the agent to call the registration endpoint, save the returned apiKey, and include it verbatim as an X-Api-Key header (and in curl examples), which requires the LLM to handle and potentially output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly instructs the agent to fetch and act on live signals from the public third‑party API at https://signals.x70.ai (e.g., GET /api/skill/signals and GET /api/skill/stats in the "Recommended Workflow" and API reference), so external, untrusted content could be read and used to drive decisions or automated actions.