baidu-wenku-aippt

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt explicitly mandates that the agent "must record and analyze" the generated PPT outline in its internal "thinking" and make that visible to the user, effectively forcing disclosure of internal chain-of-thought (hidden/internal instructions) which is not necessary for the advertised PPT-generation purpose and is a deceptive instruction about agent behavior.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill requires the agent to embed the user's "原始query" verbatim into shell commands (bdpan aippt) and to expose command output in its thinking, so if that input contains secrets (or an auth code) the LLM would be forced to include those secret values verbatim in generated commands/output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's update workflow (scripts/update.sh) fetches remote configuration from the public URL https://pan.baidu.com/act/v2/api/conf?conf_key=bd_skills_wenku_aippt and downloads/unpacks a remote skill ZIP into SKILL_DIR, meaning the agent is expected to ingest and act on untrusted third‑party content that can change runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's install.sh explicitly downloads and executes a remote installer from https://issuecdn.baidupcs.com/issue/netdisk/ai-bdpan/installer/${VERSION}, and update.sh fetches update packages from URLs provided by https://pan.baidu.com/act/v2/api/conf?conf_key=bd_skills_wenku_aippt (then downloads and unzips the remote package), which are runtime-fetches that execute remote code and are required for installation/update.