odoo-woocommerce-bridge

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt's example code hard-codes API credentials and an Odoo password as string literals (consumer_key/consumer_secret and pwd), encouraging embedding secrets verbatim in generated scripts and risking exfiltration if real keys are provided.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill fetches and processes untrusted, user-generated content from external WooCommerce stores via the WooCommerce REST API (see SKILL.md examples using wcapi.get("orders", ...) and wcapi.get("products", ...) against https://mystore.com), and that data is read and used to create Odoo orders and issue updates (wcapi.put), so third-party content can materially influence agent actions.