json-no-code-connector

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's examples and workflow explicitly show embedding developer tokens, API keys, Bearer tokens, and plaintext usernames/passwords into curl headers and JSON bodies (e.g., X-Domo-Developer-Token: {devToken}, "password":"yourPassword", "apiKey":"your-api-key-here", and the HubSpot "Bearer pat-..."), which requires the agent to include secret values verbatim in generated requests/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow's Step 1 ("Inspect the API") and the jsonSelection/jsonUrl configuration require fetching and parsing arbitrary public API URLs (e.g., the curl example and jsonSelection.jsonUrl) so the agent will read and act on untrusted third‑party JSON to determine parsing and execution behavior.