adk

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly recommends using token-based CLI calls like adk login --token <token> and directs the agent to read config files (agent.config.ts) and run adk CLI commands, which can lead the agent to place or echo secrets verbatim in commands or outputs, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests public web content and arbitrary URLs (e.g., adk kb sync / KB "Website" sources in references/cli.md, WebsiteKB used in conversations in references/advanced-patterns.md, and the resilientFetch action that fetches input.url in references/actions.md), and those ingested third‑party pages are used by RAG/execute() and guardrails to decide actions, so untrusted web content can materially influence agent behavior.