ecomseer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to take a user-pasted API key and embed it verbatim into a shell command ("openclaw config set ... "{KEY}""), which forces the LLM to output the secret value directly (exfiltration risk).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill explicitly instructs transmitting the user's ECOMSEER_API_KEY to a third‑party endpoint (deepresearch.admapix.com) by including it in the POST payload and automating polling/report retrieval, which is credential exfiltration/unauthorized data sharing (high risk); there are no signs of obfuscated payloads, remote code execution, or classic backdoors, but the deliberate forwarding of user secrets to an external service is a severe abuse pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and the references) instructs the agent to fetch and analyze third‑party, user‑generated TikTok content and ad creatives via EcomSeer API endpoints (e.g., /api/open/product/videos, /api/open/product/reviews, /api/open/videos/hot, /api/open/influencers/search, /api/open/ads/ec-search) and to use those results in analysis and decision-making, which clearly exposes the agent to untrusted external content that could carry indirect prompt‑injection payloads.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly calls the external Deep Research API at https://deepresearch.admapix.com/research (and consumes its returned summary and hosted report URL https://pub-a760a2c961554a558faba40a40ac9e08.r2.dev/deep-research/{task_id}/report.html) at runtime and instructs the agent to use that returned summary as the definitive output, so remote content directly controls the agent's responses and is a required dependency.