coinstats-nft

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's auth example uses coinstats login --api-key <key>, which requires embedding an API key directly on the command line (a verbatim secret), creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly defines commands (e.g., "coinstats nft trending", "coinstats nft collection", "coinstats nft asset") that fetch NFT and wallet data from the third‑party CoinStats service, and that NFT/marketplace metadata is user-generated/untrusted content the agent will read and could influence its responses or actions.