setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask the user for API keys and then write/export those values into shell profiles and .env files (e.g., export OUTBOUND_API_KEY="<the API_KEY from Step 3>"), which requires the LLM to receive and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The setup flow explicitly sends requests to and parses responses from external endpoints (the user-deployed Railway outbound-tools URL and the hosted API at https://signals.gtm-engine.sh/mcp), for example the Step 5 cURL smoke-tests that jq-extract '.result.content[0].text', so untrusted third-party responses are ingested and can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The setup instructs the operator to run railway init --template outbound-tools, which fetches and deploys remote template code from Railway (e.g. https://railway.app) during setup and thus causes execution of externally fetched code required by the skill.