workos-api-sso

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit example API keys (e.g., sk_live_1234567890) and curl examples that place Bearer tokens in Authorization headers, which requires the agent to handle or reproduce secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's README explicitly instructs the agent to "WebFetch the relevant docs" at runtime (e.g. https://workos.com/docs/reference/sso), meaning external documentation would be fetched during execution and could directly alter the agent's implementation/instructions.