fix-demos

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly instructs the agent to read .env (exposing PSQUARED_CRM_TOKEN, NUXT_MCP_DEMO_TOKEN, OPENBRAND_API_KEY) and to use those tokens in Authorization headers and API calls, which requires the LLM to handle secret values in its context and could lead to verbatim inclusion/exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Flagged because SKILL.md STEP 2b explicitly instructs using WebFetch on company.domainName.primaryLinkUrl to re-scrape arbitrary company websites, and STEP 2a/2c require rewriting greetings, prompts, knowledge and quick questions based on that fetched content which directly drives tool calls (update_prompt, add_to_bucket, update_quick_questions, publish_agent), so untrusted third‑party pages can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches arbitrary company websites at runtime (company.domainName.primaryLinkUrl, e.g. https://[domain]) and queries CRM via https://crm.psquared.dev/graphql, then uses that fetched content and the CRM's demoReviewIssues to rewrite system prompts and knowledge (via MCP update_prompt/add_to_bucket), so external content directly controls agent instructions.