atypica-pulse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples and workflows that embed a Personal API Key directly in shell commands (inline environment assignments like ATYPICA_API_KEY="atypica_xxx") and instructs users to paste keys during interactive login, which encourages the agent to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows the CLI fetching Pulse details that include an array of aggregated "original social source posts" (url, author, content) from public social media (see the "Fetch a single pulse in full detail" and Use Case B sections), which the agent is expected to read/interpret via --json and use to guide downstream analysis or actions, exposing it to untrusted third‑party content that could inject instructions.