kenobi-pages

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly offers an "agent-assisted" path that asks the user to paste their API key and then instructs the agent to run or emit a command like npx kenobi-pages init --key ..., which requires the LLM to receive and include the secret verbatim in output—an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests public/untrusted content — e.g., SKILL.md and references instruct running "npx kenobi-pages evidence create " to fetch brand pages and using "npx kenobi-pages sources / sources sample" and workflow "contextSources" (e.g., Notion/CRM call notes and run --context-file) as inputs that the agent must read and that directly influence generation, workflow runs, and publishing decisions, creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill repeatedly instructs the agent to run "npx kenobi-pages" (an npx/npm runtime fetch-and-execute of the kenobi-pages package) and to follow its stdout "nextCommand" JSON, which means remote code is fetched/executed at runtime and its output can directly control agent instructions — flagging the npx kenobi-pages invocation as the risky external dependency.