industry-key-contact-radar-api-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the agent to ask the user to provide the BROWSERACT_API_KEY if the environment variable is not set, which creates a flow where the LLM may receive and be asked to include secrets verbatim rather than keeping them in environment variables or other secure handles.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's script (scripts/industry_key_contact_radar_api.py) calls the BrowserAct API to search and extract public profiles from third-party sites (e.g., facebook.com, linkedin.com, github.com per SKILL.md) and returns profile fields like "Introduction" and profile URLs that the agent is expected to read and act on, which are untrusted, user-generated web content.