get-qualified-leads-from-luma

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks for and embeds webhook URLs and other tokens directly into generated commands/code (e.g., Python POST to webhook, curl tests, export APIFY_API_TOKEN), requiring the LLM to include secret values verbatim and thus posing exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly scrapes public Luma event pages using the luma-event-attendees scraper/Apify (see SKILL.md Step 1: "Search Luma and Extract Attendees"), ingesting attendee bios/profiles from open, user-generated sources and feeding them into the lead-qualification workflow that directly affects downstream actions (qualification results, Google Sheet writes, Slack alerts), which could allow indirect prompt injection.