browse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes explicit examples and commands that embed credentials verbatim (e.g., socks5://user:pass@host in --proxy, cookie =, header :), which would require the LLM to output secret values directly and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates arbitrary web pages (e.g., the documented goto flow) and exposes page content via commands like text, html, links, snapshot and scrape — the SKILL.md even includes an "Untrusted content" section that wraps page output and instructs the agent how to treat it, which shows the agent ingests open/public third‑party (user-generated) content as part of its workflow and that content can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup step will at runtime download and execute a remote install script from https://bun.sh/install (curl -fsSL ... -o tmpfile ; bash "$tmpfile"), which fetches and runs remote code as a required part of the one-time build, so it directly executes external code.