workos-api-events

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes curl and verification examples embedding Authorization: Bearer sk_... headers (API keys passed directly in command output), which instructs the agent to place secret values verbatim into generated commands/requests.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent at runtime to "WebFetch" the WorkOS docs (https://workos.com/docs/reference/events and https://workos.com/docs/reference/events/list), so fetched remote content would directly influence agent instructions/behavior and is treated as a required dependency.