proof

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to extract access tokens from Proof URLs and then include them directly in curl headers/commands and example scripts (e.g., x-share-token / Authorization headers and TOKEN variables), which requires the LLM to handle and emit secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and reads user-authored Proof documents and marks from the public Proof API (e.g., "GET /api/agent/{slug}/state" in SKILL.md and the HITL Review Phase 2 which filters marks with by starting human:) and then interprets those comments to decide and perform edits/replies (Phase 2.3–2.4), so untrusted third‑party content can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime calls to Proof's API (e.g., https://www.proofeditor.ai/api/agent/{slug}/state and https://www.proofeditor.ai/share/markdown) to fetch document state and human-authored marks/comments which the agent ingests and uses to drive edits and replies, so the external content directly controls the agent's instructions and is a required runtime dependency.