session-compound

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs the agent to inject the analyzer's complete JSON into the HTML (), and that JSON may contain raw agent_invocations / tool call logs (which can include API keys, bearer tokens, cookies or other secrets), so the LLM would need to reproduce secrets verbatim if present.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md Step 4) runs npx skills find "<query>" against the public ecosystem and injects those external results as existing-skill candidates that the downstream agent is expected to act on (the template instructs automatic npx skills add ... installs), meaning untrusted third‑party skill metadata/URLs are fetched and can directly influence tool execution and next actions.