add-user

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks for an admin API key and shows a curl example that embeds the Authorization: Bearer key and also instructs displaying the newly generated user API key, requiring the agent to accept and include secret values verbatim in requests and output.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly calls a proxy admin API to create users and includes a "max_budget" parameter that the agent can set via POST /user/new. Although it's not a payment gateway or crypto wallet, it provides a specific API-capability to set/update monetary budget limits for users (i.e., changing financial/budget configuration), which matches the rule to flag APIs that update budgets. This is a specific financial operation rather than a generic tool like "make HTTP request" or "click a button."