cross-market-indicators

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes a hardcoded API key in the curl AUTH header and instructs using those curl commands, which forces the LLM to emit the secret value verbatim in generated requests/commands.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill mandates using a single private API endpoint (an IP address) with a hardcoded API key and explicitly forbids other data sources, which creates a forced, centralized external data channel that can be used to collect user queries and responses (high risk for data exfiltration/hidden telemetry); there is no evidence of direct remote code execution, obfuscation, or supply‑chain hooks in the content itself.