omni-recall

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that pass sensitive values verbatim on the command line (e.g., sync-vault "ZHIHU_COOKIE" "your_long_cookie_string") and fetch-vault that returns decrypted values, which requires the agent to handle and potentially output secrets directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The code intentionally uplinks user data (memories, profiles, instructions, NSFW content, and vault entries) to a hard-coded external Supabase host and calls an external embedding API, which constitutes an intentional data-exfiltration/backdoor pattern that can leak sensitive content and credentials to a remote operator.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's batch_sync_doc explicitly fetches arbitrary HTTP/HTTPS URLs (scripts/omni_ops.py uses requests.get to retrieve web pages, and README/SKILL.md document "batch-sync-doc" / "Sync web pages via URL"), and those fetched public web contents are ingested into memories/instructions that the agent reads (fetch/fetch_full_context) and are used to align persona and behavior—so untrusted third-party pages can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill connects at runtime to an external Supabase host (aws-1-ap-south-1.pooler.supabase.com) using psycopg2 and requires SUPABASE_PASSWORD; that remote database stores the "instructions" table which fetch_full_context prioritizes into the agent context, so remote content can directly control agent prompts and is a required dependency.