unslop-file

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The LLM mode sends file contents to an external Claude instance and is required to preserve fenced code blocks and inline code verbatim, so any API keys/passwords present in those regions (or elsewhere in the file) would be included in the model I/O and reproduced exactly, risking secret exfiltration despite some path-based refusals.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill can download and load public HuggingFace detector models (see scripts/detector.py and scripts/fetch_detectors.py which call AutoTokenizer.from_pretrained / from_pretrained for "Oxidane/tmr-ai-text-detector" and "desklib/ai-text-detector-v1.01"), and those externally-hosted, user-published model files are fetched and executed as part of the detector feedback loop that directly influences humanization decisions and iteration control.