auth-web-cloudbase

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt's examples and Quick Start show embedding a "publishable key" (accessKey) and plaintext passwords/OTP tokens directly into code and instructs using an auth tool to obtain the publishable key, which encourages the agent to fetch and insert secret values verbatim into generated code—creating exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill lists the CDN-hosted CloudBase JS SDK (https://static.cloudbase.net/cloudbase-js-sdk/latest/cloudbase.full.js) as the runtime dependency for auth, which would be fetched and executed in-client and is required for the skill to operate.