access-tokens

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to display newly-created personal access token values verbatim (shown once), requiring the LLM to output secret values directly and creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The manifest schema explicitly warns that remote agent_card_url (e.g. https://research-agent.example.com/.well-known/agent.json) and remote OpenAPI spec URLs (e.g. https://api.weather.example.com/openapi.json) are fetched at runtime and converted into MCP tools/agent behavior, meaning those external URLs can directly control agent prompts and capabilities.