trending-ad-hook-spotter

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt shows using APIFY_API_TOKEN directly in example HTTP requests (query param/token substitution), which would require the agent to insert the secret verbatim into generated requests/commands and therefore creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests untrusted, user-generated content from public sources—Reddit via the Apify reddit-scraper-lite actor, Twitter/X and LinkedIn via web_search (site:x.com and site:linkedin.com/posts), and Hacker News via the Algolia API—and instructs the agent to read and interpret those posts/threads to score trends and generate ad hooks that materially influence subsequent actions.