style-writer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt mandates inserting verbatim quotes from user-provided corpora (e.g., "trích dẫn nguyên văn ≤30 từ") as evidence, which would force the model to reproduce any secrets present in those inputs and thus risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The Analyze workflow explicitly ingests public third‑party webpages: SKILL.md "Bước 1. Thu thập corpus (Văn)" (c. URL (Substack/blog)) directs the agent to use substack-tools or WebFetch to fetch archive pages and individual blog/Substack articles, which the agent must read and interpret to produce voice files that will drive later writing behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill fetches user-provided web URLs (e.g., Substack/blog URLs fetched at runtime via WebFetch or the referenced substack-tools/substack_crawl.py) and injects the retrieved article content into the model context to drive the Analyze workflow, so remote content can directly control the agent's prompts/outputs.