reddit-leads

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that place the API key directly in Authorization headers and curl commands (and guides users to paste their API key), which teaches or requires embedding secret values verbatim in generated requests—an insecure pattern that risks secret exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md shows the skill queries reddapi.dev to fetch and ingest user-generated Reddit posts and metadata (e.g., API Reference and Example Workflows) and then uses those leads and lead_scores to drive outreach/CRM actions, so untrusted third-party content can directly influence agent decisions.