worldmodel

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). This skill requires reading arbitrary code, config, and user-provided files/URLs and to emit raw channel findings and provenance (including file snippets) but gives no guidance to redact secrets—so if those sources contain API keys, tokens, or passwords the agent is likely to reproduce them verbatim in its output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 1 "Web channel" and "User sources" steps explicitly require issuing WebSearch/WebFetch calls and "WebFetch all provided URLs" (SKILL.md Phase 1 and Light mode), including contrarian probes that surface public forums (references/probe-vocabulary.md mentions HN/Reddit), so the agent will fetch and interpret arbitrary public third‑party content which can materially influence subsequent tool dispatch and synthesis.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly scans the prompt for user-provided URLs ("starting with http") and "WebFetch[es] all provided URLs" at runtime, meaning arbitrary external pages (e.g., any http:// or https:// URL supplied in the prompt) are fetched and injected into the agent context and can directly control prompts/instructions.