api-publish

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask for credentials inline and to embed them verbatim in CLI commands and to relay generated API keys (e.g., using --username/--password, --token, or returning apiKey.apiKey), which requires the LLM to handle and output secret values directly, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and parse public, third‑party documentation from GitHub (e.g., the PolicyHub catalog at https://raw.githubusercontent.com/wso2/gateway-controllers/main/docs/README.md and multiple raw.githubusercontent.com links listed under "External docs" and in the references), and to use that untrusted content at runtime to build policy YAML and drive CLI/REST actions — which could allow indirect prompt-injection from arbitrary upstream markdown.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's bundled install and setup scripts download and extract executables from GitHub release URLs at runtime (e.g. https://github.com/wso2/api-platform/releases/download/ap/... and https://github.com/wso2/api-platform/releases/download/gateway/v...), and the skill also instructs fetching live policy/docs from raw.githubusercontent.com (e.g. https://raw.githubusercontent.com/wso2/gateway-controllers/main/docs/README.md and other raw.githubusercontent.com doc links) which the agent uses at runtime to build policy YAML — these are runtime remote fetches that supply code/configuration the agent will execute or inject into deployments.