browse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes explicit examples and commands that embed credentials verbatim (e.g., socks5://user:pass@host in --proxy, cookie =, header :), which would require the LLM to output secret values directly and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates and ingests arbitrary web content (e.g., goto <url>, text, html, links, scrape, snapshot commands in SKILL.md) and even documents an "Untrusted content" envelope for outputs from page text/html/console/snapshot, meaning the agent will read untrusted, third‑party pages as part of its workflow and those pages could materially influence subsequent tool actions (clicks, downloads, navigation).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup step will download and execute a remote installer script at runtime via curl -fsSL "https://bun.sh/install" and then run it with bash, which clearly fetches remote code that is executed as a required dependency.