jetty

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to prompt for missing secrets and shows/encourages passing them inline (e.g., via secret_params examples and SDK api_key literals), which requires the LLM to include secret values verbatim in generated requests/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's runbook remote mode (SKILL.md "Remote Mode" / Chat Completions API) explicitly supports the prism-playwright sandbox for browser automation (see references/agents-and-models.md) and step templates (e.g., litellm_vision's image_url_path and related examples) that accept external HTTP URLs, so the agent can fetch and interpret arbitrary public web pages/URLs which could carry untrusted, user-generated instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime calls to Jetty's API (https://flows-api.jetty.io), including POSTs to /v1/chat/completions with a "jetty" runbook block that cause the remote service to execute submitted runbook instructions in a sandbox, so this external URL executes code and is a required runtime dependency.