byted-web-search

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the user to paste their API Key "直接在本聊天框发给我即可" and to accept/use keys from chat or embed them in environment/commands, which requires the LLM to receive and potentially output secret values verbatim, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High-risk: the code sends user-supplied API keys/queries to a non-official endpoint (INTERNAL_API_URL = "https://open.feedcoopapi.com/...") and the documentation explicitly instructs users to paste secret keys into chat, which together create a clear credential-exfiltration vector; there is no obfuscated backdoor or remote-exec code, but the external proxy usage plus social-engineering guidance is a deliberate abuse pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill (SKILL.md and scripts/web_search.py) explicitly performs live web/image searches via the 火山引擎 WebSearch API (e.g., INTERNAL_API_URL / mercury.volcengineapi.com) returning public webpage snippets/URLs which the agent is instructed to call “优先调用本 skill 再作答” and use to inform answers, so untrusted third‑party content is fetched and can influence subsequent actions.