dot-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt asks the agent to collect app_id/app_secret, OAuth codes, user_access_token/tenant_access_token and shows commands and HTTP headers that embed those secrets (e.g., CLI flags like --user-token and Authorization: Bearer {token}), forcing the LLM to insert secret values verbatim into commands/requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's main workflow explicitly auto-collects and reads user-generated chat/docs from third-party platforms (e.g., tools/feishu_auto_collector.py, tools/dingtalk_auto_collector.py, tools/slack_auto_collector.py and the browser-based feishu_browser/feishu_mcp flows) and then uses Read on files like knowledge/{slug}/messages.txt to build the Persona/Work Skill that directly governs agent behavior, so untrusted third‑party content is ingested and can materially change actions.