mpstats

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the user to paste their MPSTATS token into chat and instructs the agent to save it into config/.env (i.e., receive and embed the secret verbatim), creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill autonomously calls the public MPSTATS API (https://mpstats.io/api/…), for example via scripts/request.sh and scripts/wb/wb-sku.sh which fetch endpoints like items/{id}/comments, ingesting marketplace and user-generated content that the agent is expected to read and use to drive analyses and recommendations.