http-cache-tools

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that ask for or show session cookies, passwords, and bearer tokens being inserted directly into curl commands (e.g., -H "Cookie: SESS...", -u username:password, Authorization: Bearer TOKEN), which would require the LLM to output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill runs curl/httpie against arbitrary URLs (e.g., "curl -sI https://example.com/" and the cache-debug.sh / cache-compare.sh scripts that accept a URL parameter and docker-compose examples using external URLs), so it clearly fetches and processes HTTP responses from potentially untrusted, user-supplied web pages as part of its workflow.