workos-api-audit-logs

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt repeatedly shows and instructs including the API key in Authorization headers (e.g., curl examples with "Authorization: Bearer sk_your_api_key" and guidance to verify keys start with sk_), which requires the agent to insert secret API key values verbatim into generated requests/commands.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent to "WebFetch the relevant docs before proceeding" and lists runtime URLs such as https://workos.com/docs/reference/audit-logs which the agent must fetch and whose content would directly determine how the skill proceeds, making this a runtime external dependency that controls agent behavior.