dify-tool-developer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to request and embed secrets (e.g., REMOTE_INSTALL_KEY, API keys, OAuth client_secret) into files/commands and use them in API calls/headers (e.g., .env, provider YAML, Authorization headers), which forces the LLM to handle and potentially emit secret values verbatim, creating high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to fetch and parse live, public API responses and web resources (e.g., tools/github-issues.py calling the GitHub API, tools/get-weather.py calling OpenWeatherMap, and scripts/install_cli.py querying the GitHub releases API), which are open/public third‑party sources that can contain untrusted or user‑generated content the agent will read and interpret as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill mandatorily fetches and loads remote documentation at runtime (e.g., https://docs.dify.ai/plugin-dev-en/0222-tool-plugin.md) which directly controls what the agent must follow when producing code/instructions, and the workflow requires those fetched docs as a runtime dependency.