ultrathink-protocol

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The protocol explicitly requires quoting command/output evidence verbatim (OBSERVATION) and provides diagnostics that read process env and files (e.g., /proc//environ, gh api, strace), so an agent following it may be required to include secret values found in those outputs directly in its responses.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). SKILL.md explicitly instructs the agent to escalate to public web search and to read upstream public source code (e.g., "Read the upstream source (GitHub, package registry)" and the diagnostic toolkit's "gh api repos///contents/<path/to/file>" example), so the agent is expected to fetch and interpret untrusted, user-generated third‑party content that can materially change its actions.