comment-funnel

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt asks the agent to solicit an API key from the user and shows curl/examples that embed "Authorization: Apikey YOUR_KEY" (and instructs using that key for all requests), which requires the LLM to include secret values verbatim in generated commands/requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly tells the agent to fetch and semantically analyze user-generated Instagram comments via the Upload-Post API (see SKILL.md "Read Comments" / GET /uploadposts/comments and the "Scan Comments" / One-Shot workflow) and to take actions (send DMs) based on that content, so untrusted third-party content can directly influence decisions and tool use.