agent-toolkit-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask the user for the full API key and to write it into the project's .env and use it in Authorization headers/commands, which requires handling and potentially emitting the secret value verbatim (high exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly directs the agent to fetch manifest and SKILL.md files from ${AGENT_TOOLKIT_BASE_URL}/api/agent-skills (e.g., GET ${AGENT_TOOLKIT_BASE_URL}/api/agent-skills/{skill_name}/SKILL.md) and instructs the agent to inject that fetched Markdown into its system/user prompt, so arbitrary/untrusted skill documents served from the configured Base URL can supply instructions that materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches remote instructions at runtime from ${AGENT_TOOLKIT_BASE_URL}/api/agent-skills/{skill_name}/SKILL.md and explicitly instructs agents to "inject this into the agent's system/user prompt," meaning external content directly controls prompts during execution.