docx-to-md

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt instructs a standalone mode that requires passing an API key as a command-line argument and even shows a secret-like example ("sk-ant-..."), which encourages including secret values verbatim in generated commands/outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The script, when run with --api-key, calls the Anthropic service via the anthropic Python client (anthropic.Anthropic) to send image bytes and the VISION_PROMPT and inline the model's responses at runtime (i.e., it performs remote model inference via the Anthropic API), which is an external runtime call that directly controls the agent's output.