get-market-quotes
Fail
Audited by Snyk on Jul 5, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The skill explicitly requires an API key be sent in the X-WorldMonitor-Key header and even shows a literal example key, so an agent generating requests or code could be expected to embed a secret value verbatim (exfiltration risk).
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). The documentation contains a fully-formed, high-entropy API key literal in the Authentication section:
X-WorldMonitor-Key: wm_0123456789abcdef0123456789abcdef01234567
This is not a generic placeholder (e.g., YOUR_API_KEY) nor a trivial example password; it matches a realistic API key pattern and appears to be a direct credential. No other high-entropy secrets (private keys, tokens, or PEM blocks) are present. Therefore this literal should be treated as a secret.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W008
HIGHSecret detected in skill content (API keys, tokens, passwords).
Audit Metadata