thesportsdb-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt embeds API keys directly in example URLs (e.g., "3" and "123") and instructs forming requests with the API key in the URL, which requires the model to include credential values verbatim in outputs/requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly instructs the agent to fetch and ingest public data from TheSportsDB API endpoints (e.g., https://www.thesportsdb.com/api/v1/json/3/all_leagues.php and various search/lookup endpoints), which are open third‑party web sources whose returned content the agent reads and uses to drive follow-up requests and display decisions.