travel-planning

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes CLI commands (e.g., xiaohongshu-cli view/screenshot <note_id> <xsec_token>) that explicitly require a secret token as a positional argument, which would force the LLM to embed secret values verbatim in generated commands — an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly invokes xiaohongshu-cli (user travel notes/search) and ctrip-cli destination/search (public destination pages and travel notes) to fetch and ingest user-generated/public third-party content which the agent is expected to read and use to drive planning decisions and subsequent tool calls.