variable-creation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's step-by-step curl/CLI commands explicitly require an X-DOMO-Developer-Token (devToken) header and the prereqs mandate a developer token, which forces the agent to insert or reproduce a secret API token verbatim in generated commands — a direct secret-exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly reads a live card definition from the user's Domo instance (Step 4: PUT https://{instanceUrl}/api/content/v3/cards/kpi/definition) and mandates saving/merging definition.controls, subscriptions, modified timestamps, etc. into the Step 5 save payload, so user-generated/untrusted card content from that third-party instance is consumed and can materially influence subsequent API calls.