website-launch-kit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the user to paste their Gemini API key into chat and includes commands (sed/.env updates and examples) that embed the user-provided key verbatim, so the agent must receive and handle the secret in cleartext and would likely include it in generated commands or files — a direct exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill contains high-risk behaviors: it explicitly instructs users to paste private API keys into chat (exposing secrets), writes those keys into local .env files, and automatically installs and runs third‑party npm/npx packages (global MCP, nano-banana, agent-browser, etc.) — creating clear avenues for credential capture and supply‑chain / remote code risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill asks the user to paste an arbitrary "inspiration" URL (references/01-intake.md Q8) and then explicitly opens and deeply extracts that public webpage with agent-browser (references/02-clone.md Part 1) to drive layout, CSS, images, and build decisions—i.e., it ingests untrusted third‑party web content that directly influences tool actions and next steps.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls agent-browser at runtime to open and extract an arbitrary user-provided inspiration URL (agent-browser open "[INSPIRATION_URL]"), and those extracted HTML/CSS/images are injected into the agent's build/extraction workflow to directly drive cloning/customization, so a malicious or crafted external page could control the agent's behavior or payloads.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs the agent to modify the host environment (install global packages, write/update .env, auto-register MCPs, run installers and deploy commands) which persistently changes the machine state even though it doesn't explicitly request sudo or create users.