postmark-webhooks

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). This skill explicitly instructs embedding credentials in webhook URLs (username:password@... and ?token=your-secret-token) which would require the agent to place secret values verbatim into generated URLs/commands, creating a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill defines a public POST endpoint (/webhooks/postmark) in SKILL.md and multiple examples (examples/express/src/index.js, examples/fastapi/main.py, examples/nextjs/app/webhooks/postmark/route.ts) that ingest Postmark webhook payloads — including Inbound events with HtmlBody/TextBody and Click events with OriginalLink — and explicitly show processing that can trigger downstream actions (e.g., "Process incoming email", "Trigger re-engagement workflow"), so untrusted/user-generated third-party content is read and can materially influence behavior.