anygen-diagram

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes a direct API-key command-line example ("anygen auth login --api-key sk-xxx") which encourages embedding secret values verbatim in generated commands, creating an exfiltration risk even though safer env-var and browser-login alternatives are mentioned.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs use of the AnyGen CLI against www.anygen.io (e.g., anygen auth / anygen skill install) at runtime to install and run the anygen-workflow-generate skill and to perform diagram generation, which fetches and executes remote code and can thereby control agent behavior.