create-soul

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires including verbatim "原话优先" quotes and raw source text into generated persona files, so if user-supplied materials contain API keys/passwords/cookies the LLM will output them verbatim, enabling secret exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches public third-party content (e.g., "播客/访谈 URL" via collectors/youtube_transcript.py, "博客/文章 URL" via collectors/fetch_url.py, 即刻/Twitter exports in Step 2) and Step 3 requires the agent to read and distill those _raw/ files into persona/knowledge files that directly drive the agent's behavior, so untrusted user-generated content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches user-provided external URLs at runtime (e.g., podcast/YouTube URLs via collectors/youtube_transcript.py and blog URLs via collectors/fetch_url.py) and injects that fetched content into the persona/distillation pipeline, meaning remote content can directly control the agent's prompts and behavior.