wayai

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user to "Paste your OpenAI/Anthropic/Google API key here" and then run a CLI command that consumes it, meaning the LLM will receive secrets in-chat (and could be asked to include them), which is high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's documentation explicitly allows agents to call arbitrary external HTTP APIs and MCP resource URIs (see references/agents/custom-tools.md "Custom tools" supporting full URLs and composed_tools) and to read those tool results into agent history or drive follow-up native tool actions (references/agents/native-tools.md and meta tools), meaning untrusted third‑party content can be ingested at runtime and materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent at runtime to fetch and install remote packages ("npm i -g @wayai/cli@latest" and "npx skills add wayai-pro/wayai-skill -y"), which will download and execute external code and install skill content that directly controls agent prompts (e.g., packages referenced via https://www.npmjs.com/package/@wayai/cli and the wayai-pro/wayai-skill repo such as https://github.com/wayai-pro/wayai-skill).