ce-proof

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly instructs extracting access tokens from URLs and embedding them into API requests/headers (e.g., x-share-token / Authorization: Bearer / curl examples), which would require the agent to handle and potentially output secret values verbatim unless mitigated by runtime-only variables—creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and ingests user-authored content from Proof (e.g., GET /api/agent/{slug}/state and the Phase 2 ingest pass that filters marks authored by human:* in references/hitl-review.md) and uses those comments/markdown to decide and perform edits, so untrusted third-party/user-generated content can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls Proof API endpoints at runtime (e.g., https://www.proofeditor.ai/api/agent/{slug}/state and https://www.proofeditor.ai/api/agent/{slug}/ops) to fetch markdown and human-authored marks/comments which the agent directly reads and uses to decide and apply edits, so these URLs are runtime dependencies that directly control the agent's instructions.