httpx

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes multiple examples that embed API keys and passwords directly into headers and client constructors (e.g., 'Bearer your-token-here', 'your-secret-api-key', username/password literals), which would lead an agent to output secrets verbatim if real credentials are supplied—an insecure pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill is an HTTP client that performs requests to arbitrary external URLs (e.g., functions like make_request_with_retry(url), download_with_progress(url), client.get(...) and the websocket_example), and those examples parse/consume response.json() or streamed bytes, meaning the agent would fetch and read untrusted public web content that could contain indirect prompt injection.