wonda-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). Yes — the prompt includes many examples that place API tokens, session cookies, and passwords directly into CLI arguments or heredocs (e.g., --auth-token/--ct0, --li-at-value/--jsessionid-value, --session-value , and password-stdin <<< "hunter2"), which would require an LLM to insert secret values verbatim into generated commands or instructions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and analyze public, user-generated content (e.g., "wonda scrape social --handle @competitor", "wonda x search", "wonda reddit search", "wonda scrape video --url", and clipping/analytics commands) as a required Step 1 for research and those scraped social/forum pages and URLs are then used to drive generation, publishing, and next actions, creating a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The CLI command wonda skill get <slug> fetches remote skill definitions from the Wonda service at runtime (the wonda skill API endpoint) and those fetched skill steps explicitly prescribe models, prompts, and execution steps, so external content fetched at runtime can directly control agent prompts/instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes an explicit payment integration: "wonda topup (opens Stripe checkout)" to add credits. This is a specific Payment Gateway mention (Stripe) and a built-in command that initiates payments, which meets the Direct Financial Execution criteria.