erwa-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The documentation repeatedly shows Authorization: Bearer headers and ws URL query tokens in curl and WebSocket examples, which requires embedding a user-provided secret/token verbatim into generated requests/commands, an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly ingests user-generated/untrusted content from its API and realtime feeds (e.g., GET /api/v1/summaries, /api/v1/second_kol, /api/v1/newsflash and the WebSocket endpoints at ws://88.222.241.169), including HTTP/url fields and KOL/group summaries that the agent is expected to read and that could materially influence subsequent actions.