workos-migrate-auth0

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly instructs including sensitive values verbatim (e.g., passing Auth0 passwordHash fields into WorkOS API requests and showing an API key export like export WORKOS_API_KEY="sk_..."), so an agent following it would need to read and emit secret/hash values in requests or commands.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's Step 1 explicitly requires a blocking runtime WebFetch of https://workos.com/docs/migrate/auth0 as "the source of truth" before proceeding, meaning fetched content directly controls the agent's instructions and is a required runtime dependency.