api-authentication

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples and scripts that accept or show API keys passed directly on the command line (e.g., bash scripts/setup-auth.sh sk_your_api_key_here) and references curl/header usage, which encourages embedding secrets verbatim in commands or outputs and thus creates exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Deno example imports runtime code directly from https://deno.land/std@0.177.0/http/server.ts, which causes remote code to be fetched and executed at runtime and is used as a required dependency in that example.