build-data-pipeline

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The quick start includes a curl example that embeds an API key as a URL/query parameter (api-key=YOUR_KEY) which instructs placing secrets directly into command-line requests, an insecure pattern that would cause the LLM to output or handle secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and processes untrusted, user-generated on-chain data from third-party providers (e.g., Helius webhooks and WebSocket/RPC endpoints) as part of its required workflow — see the Quick Start curl to Helius and the webhook handler in references/indexing-patterns.md which reads req.body events and branches on event.type to perform database writes.