datadog

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt shows and encourages inserting the Datadog API key directly into CLI commands (e.g., docker -e DD_API_KEY=<YOUR_API_KEY>, helm --set datadog.apiKey=<YOUR_API_KEY>), which promotes requesting and embedding real API keys verbatim in outputs—an insecure secret-handling pattern.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes runtime commands that fetch and execute remote code—e.g., the Linux installer using DD_API_KEY=... bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)" and the Java agent download wget https://dtdg.co/latest-java-tracer followed by -javaagent—so these external URLs are fetched and executed as required dependencies.