sales-minelead

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt's examples and guidance explicitly show embedding the API key as a URL query parameter (e.g., &key=), which encourages generating commands/requests that include secrets verbatim and thus creates a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required workflow (SKILL.md Step 4 and the examples) explicitly instructs the agent to call Minelead's public API endpoints (e.g., GET /v1/search, /v1/find, /v1/tags, /v1/validate) and to read and act on returned, publicly-indexed lead/email data from a third-party service, so untrusted external content is fetched and used to make decisions (e.g., who to verify, save, or send campaigns to).