algolia-search-optimizations

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks for an App ID and API keys (including an analytics/admin key) and shows curl commands with header placeholders (e.g., X-Algolia-API-Key) that require inserting those keys verbatim into requests/commands, forcing the LLM to handle/output secrets.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and analyze public, user-generated data (e.g., analytics endpoints at https://analytics.algolia.com in Phase 1 and direct site fetches like curl "https://your-site.com/docs/some-page" plus custom-record URLs in Phases 3–4), which the agent must interpret and which directly drive its fixes and actions, exposing it to untrusted third‑party content that could carry indirect prompt injections.