http-request

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples and auth options explicitly show embedding tokens, API keys, and passwords directly in command lines and headers (e.g., --auth bearer:TOKEN, --header "X-API-Key: secret"), which would require the LLM to include secret values verbatim in its output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly lets the agent make GET/POST requests to arbitrary http/https URLs (see SKILL.md examples like https://jsonplaceholder.typicode.com and the request.sh/index.js code that accept external URLs and return/format response data), so it fetches untrusted public web content that the agent will read and could materially influence subsequent behavior.