perses-onboard

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs embedding a live token into perses-mcp-config.yaml via "credentials: '<token from percli whoami --show-token>'", which requires reading and outputting a secret verbatim into generated configuration—an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly directs the agent to connect to arbitrary Perses servers (user‑provided URLs or the public demo.perses.dev) and to query their APIs/tooling (e.g., curl /api/v1/health, percli responses, ToolSearch("perses") and perses_list_projects), and those runtime responses are read and used to gate/drive subsequent actions, so untrusted third‑party content can materially influence behavior.