convex

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit example that places an API key value inline on the command line ("npx convex env set OPENAI_API_KEY sk-xxx"), which encourages handling and embedding secret values verbatim and is therefore insecure.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted third-party content — e.g., HTTP endpoints that read request bodies at convex/http.ts (the "/webhook" handler) and an action that calls an external API at https://api.openai.com/v1/chat/completions — and then processes those payloads (ctx.runMutation / writing summaries), so external content can influence subsequent actions and state.