curl-http

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes numerous examples that embed credentials directly into curl/httpie commands and headers (e.g., Authorization: Bearer token, -u username:password, X-API-Key: key123), which encourages the LLM to output secret values verbatim when generating requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly runs curl against arbitrary user-provided/open URLs and parses their responses (see SKILL.md usage guidance and scripts/http-debug.sh and scripts/api-tester.sh which accept and fetch arbitrary URLs), so it ingests untrusted third‑party content that could influence subsequent analysis or actions.