sales-postmark

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs copying a Server API Token and shows initializing the client with a literal token string (e.g., ServerClient("YOUR_SERVER_TOKEN")), which encourages embedding secret API tokens verbatim in generated code or commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests untrusted user-generated content via Postmark Inbound (see "Step 4 — Processing inbound email" and the references/platform-guide.md Inbound Email / GET /messages/inbound webhook flow), and instructs parsing/mapping those inbound messages into ticketing/workflows so that third‑party message content can drive actions.