pair-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires the agent to output the full instruction block verbatim (including one-time setup keys/session tokens and to accept ngrok auth tokens), which forces the LLM to handle and emit secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly pairs your browser with a remote agent and (in Step 4 and the "What the remote agent can do" section) instructs that the remote agent may "navigate to URLs" and "read page content" (and even use ngrok to expose the server), meaning untrusted public web pages can be fetched and interpreted as part of the agent workflow and thus could inject instructions indirectly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's setup step downloads and executes a remote installer script at runtime via curl -fsSL "https://bun.sh/install" and then runs it with bash, so https://bun.sh/install is a runtime external dependency that executes remote code.