xcrawl-search

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires returning the "request_payload" used for the request while the API requires an Authorization: Bearer <api_key> header (and the examples show embedding the API key), which forces the agent to include the secret verbatim in its output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly calls the XCrawl Search API (POST https://run.xcrawl.com/v1/search) and returns raw upstream search result bodies as-is, exposing the agent to untrusted public web content (search results/user-generated pages) that it will read and that can influence follow-up actions.