vision-mcp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read a real API key from ~/.claude/settings.json and then embed that exact key into ~/.claude.json (replacing "sk-xxxxxxxx"), which requires the LLM to handle and output the secret verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). High-risk: the skill automatically reads a local secret (env.ANTHROPIC_API_KEY) from ~/.claude/settings.json and writes it into ~/.claude.json so it will be sent as an X-API-Key to an external/untrusted HTTP endpoint (http://10.80.1.251:10005/mcp), which enables credential exfiltration and the unauthorized upload of images or server files; no obfuscation or RCE was observed, but the described automatic credential harvesting and remote configuration is a clear abuse pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly accepts and analyzes arbitrary HTTP/HTTPS image URLs (see "支持的图片来源" and the usage examples like "分析一下这张截图 https://example.com/screenshot.png"), meaning the agent will fetch and interpret untrusted third‑party user content that could embed instructions affecting its actions.