orshot

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt repeatedly shows and instructs embedding an API key literally (e.g., "Authorization: Bearer <ORSHOT_API_KEY>" and SDK constructors with '<ORSHOT_API_KEY>'), which encourages the agent to accept and output secret values verbatim in headers/code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly accepts and renders arbitrary public URLs (e.g., "Render from Utility Template" with modifications.websiteUrl for website-screenshot, videoElement URLs in "Video Parameters", and dynamic URL generation), which causes the service to fetch and process untrusted third‑party web content as part of its runtime workflow.