swagger-api-reader

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's examples and flags (e.g., --token "TOKEN", --password "PASS", --key-value "KEY") instruct embedding API keys/passwords directly into command-line arguments, which requires the model to handle and output secret values verbatim and thus poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and parses Swagger/OpenAPI documents from arbitrary user-supplied/public URLs (see scripts/swagger_reader.py: fetch_swagger and fetch_with_browser which use requests/selenium to load and extract JSON/YAML from web pages), so it ingests untrusted third‑party content that the agent reads and uses to generate docs and drive subsequent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill fetches arbitrary Swagger/OpenAPI documents at runtime from the user-supplied --url (e.g., the Swagger JSON/YAML URL such as https://.../swagger.json or a Swagger UI page) and injects that fetched content into generated Markdown/docs used by the model, meaning remote content can directly control the agent's context/prompts.