puda-workflows

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly instructs the agent to ask the user for the OpenRouter API key (a secret) if not in the environment, which means the LLM would receive sensitive credential material in chat and could be asked to place it into configs or commands, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly calls external LLMs via OpenRouter/OpenAI (see references/optimization.md and scripts/optimizers.py: SOCM_LLM / ViscosityLLMSingleObjectiveOptimizer) and parses the model's JSON responses to produce next (R,G,B) volumes or protocol parameters which are then used to generate and execute Opentrons protocols—so untrusted third‑party model outputs are ingested at runtime and can materially influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's LLM optimizers call the OpenRouter API (https://openrouter.ai/api/v1) at runtime via the OpenAI client to obtain JSON-formatted suggestions that are parsed and used to control experiment parameters and prompts, and require an OPENROUTER_API_KEY—so remote responses directly control agent behavior.