workos-api-directory-sync

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt repeatedly shows and instructs placing API keys directly into Authorization headers and curl commands (e.g., "Authorization: Bearer sk_live_..."), which requires the agent to embed secret values verbatim in generated requests/commands.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly instructs the agent at runtime to "WebFetch the relevant docs" (e.g. https://workos.com/docs/reference/directory-sync), so external content from that URL would be fetched during execution and could directly alter agent behavior/instructions.