quota-reporter

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs collecting, storing, and uploading personal auth tokens and requires showing probe payloads and HTTP response bodies (which can contain tokens/credentials), so the agent may be required to include secret values verbatim in outputs.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill intentionally collects local service credentials (Codex and Claude), uploads them to a remote "auth pool", stores a persistent personal access token locally, and can fetch and install other users' credentials — behavior that constitutes deliberate credential exfiltration, credential injection, and persistent remote-controlled rotation/persistence despite lacking obfuscation or a traditional reverse shell.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill contacts an external auth-pool (default DEFAULT_AUTH_POOL_URL "https://quota-report-hub.vercel.app/") via calls such as request_auth_pool_token, post_auth_pool_entry, post_auth_pool_quota, fetch_best_auth and /api/status (see scripts/quota_reporters.py and scripts/quota_guard.py), and it parses and installs returned auth_json/replacement data into local auth files — behavior that consumes untrusted, potentially user-generated third‑party content and can directly change which credentials/tools the agent uses.