sk-actions-custom-provider

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to request client secrets and access tokens and to print fully resolved cURL commands (including the Production access token and actual env_access_token/client_secret values) in outputs, which requires emitting secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow asks for and instructs the agent to "read the docs" and to accept an API/docs link from the user (Interaction Flow steps asking for "API docs link" and step "Read the docs and infer which auth type it is" in SKILL.md), so it will fetch/ingest arbitrary external API/auth documentation that can materially influence provider JSON, curl construction, and subsequent actions—exposing it to untrusted third-party content that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs runtime curl requests against user-supplied environment URLs (e.g., {{SCALEKIT_ENVIRONMENT_URL}}/oauth/token and {{SCALEKIT_ENVIRONMENT_URL}}/api/v1/providers) to fetch tokens and the Dev provider JSON which the skill then uses as the authoritative payload for create/update operations, so the external environment URL is a runtime dependency whose fetched content directly controls the agent's output.