workos-api-widgets

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes explicit curl and header examples with "Authorization: Bearer sk_test_..." and tells users to "Replace with your actual API key", which encourages embedding real API keys directly into commands/outputs and would require the LLM to reproduce secrets verbatim if provided.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs the agent to "WebFetch the relevant docs" at runtime (https://workos.com/docs/reference/widgets and https://workos.com/docs/reference/widgets/get-token), so external content would be fetched during execution and could directly control the agent's instructions/behavior.