workos-api-authkit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes inline bearer tokens (e.g., "sk_live_...") in curl examples and plaintext example passwords, which encourages embedding secret values verbatim into generated commands or code and thus requires the LLM to handle/output secrets directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent to "WebFetch the relevant docs" at runtime (e.g., https://workos.com/docs/reference/authkit), meaning external content would directly control the agent's instructions and is required before proceeding.