moltsheet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires including an API key in the Authorization header and provides curl examples that embed the header (e.g., "Authorization: Bearer YOUR_API_KEY" / "uuid-here"), which would force an agent to insert secret API key values verbatim into generated requests or commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly instructs the agent to fetch and read sheet data (e.g., GET /api/v1/sheets/SHEET_ID/rows and the "List Sheets" responses that include "sheets shared with you" and collaborator workflows), which are user-generated/third-party spreadsheet rows that the agent is expected to interpret and can materially influence subsequent actions.