qodo-get-rules

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill reads an API key from a local config and instructs using it in Authorization headers (curl/HTTP requests), which can force the agent to place the secret verbatim into generated commands or requests and thus risks exfiltration even though examples use shell variables.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches rules at runtime from the Qodo API (e.g., https://qodo-platform.qodo.ai/rules/v1 or a user-supplied QODO_API_URL with /rules/v1) and applies those returned rules to directly control code-generation prompts and behavior.