sleek-design-mobile-apps

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires including an Authorization: Bearer <API_KEY> header on every request and shows request examples with the key placeholder, implying the agent must insert the actual secret into generated requests (no guidance to use env vars or platform-managed auth), so it requires handling secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's Chat — Send Message endpoint accepts arbitrary HTTPS imageUrls (message.imageUrls) which are ingested as visual context from untrusted third-party sources and can influence the AI run's operations and the agent's subsequent actions (screens created/updated and screenshots), enabling indirect prompt injection.