wecom-smartsheet-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). Insecure: the prompt instructs copying full session cookies (document.cookie) and shows examples of passing the cookie string verbatim (command-line args / exports), which would require the agent to handle and output secret tokens directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill directly fetches and decodes arbitrary WeCom smart sheet documents from doc.weixin.qq.com via the dop-api/opendoc endpoint (see SKILL.md and scripts/fetch-smartsheet.mjs), parsing user-generated sheet content as part of its normal workflow, so untrusted third‑party content could influence parsing/pagination and any downstream decisions that consume those records.