blog-post

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly requires the agent to display raw JSON responses verbatim (and to render/use returned presignedUrls), which forces any secret-like values returned by the API (tokens, presigned URLs, etc.) to be outputted verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md shows the agent will fetch and display blog post data and AI-generated/proposedContent (e.g., GET /api/v2/blog-posts/{blog_post_id}, generation/ai-operations polling responses, and export downloadUrls/presignedUrls) from a public blog API and is required to render that content and use it to decide/apply actions (e.g., calling accept), so untrusted user-generated content can materially influence tool use.