writing-handlebars

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill prompt explicitly shows and encourages accessing connection objects (e.g., {{@root.connection.http.encrypted.apiKey}}) and even instructs serializing the full runtime context (jsonSerialize this) which would cause API keys/credentials present in the connection object to be emitted verbatim — creating a direct secret-exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The documentation explicitly exposes and documents how to access connection.auth fields (including connection.http.encrypted), how to serialize the entire runtime context (e.g., {{{jsonSerialize this}}}) and send it to an endpoint (including an echo/mirror endpoint), and shows helpers (base64Encode, aws4, hmac, jsonParse/serialize) that can be combined to collect and transmit secrets — a clear data-exfiltration / credential-theft vector if misused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). Outsider free text can enter the LLM context via runtime record fields used in Handlebars templates (e.g., mappings[].extract, HTTP body/postBody, SQL rdbms.query, output filters), where record.* is populated from external source data such as public API/webhook payloads or other non-user-authored inputs.