google-sheets

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit bearer-token-style value in the example environment export (ya29.xxxxxxxxxx), which is a secret-like literal and encourages embedding or reproducing secrets rather than keeping them hidden, so it risks secret disclosure.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly includes a "Read Sheet Data" curl against https://sheets.googleapis.com/.../values which ingests Google Sheets content (user-generated or publicly shared third‑party data) that the agent would read and could materially influence subsequent actions.