eyeball

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires extracting verbatim phrases from source documents and embedding them as "anchors" in the JSON/CLI build command and output Word document, so if the source contains secrets (API keys, tokens, passwords) the LLM would be instructed to include those secret values verbatim in its generated output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts "Web URLs: Any publicly accessible web page" (SKILL.md) and the code (render_url_to_pdf, cmd_extract_text, and cmd_build in tools/eyeball.py) fetches and extracts text from arbitrary HTTP(S) pages which the agent is required to read and then uses that content to decide anchors and build analysis/screenshot actions, so untrusted third‑party content can materially influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls render_url_to_pdf() and accepts any user-supplied HTTP(S) source (e.g., "http://..." or "https://...") at runtime and then extracts and injects that page's text into the analysis workflow, so arbitrary external web content can be fetched at runtime and directly control the agent's input/context.