harmonyos-device-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains an explicit example that embeds a plaintext password in an act command (and shows API key placeholders in CLI examples), which teaches/permits the agent to output secret values verbatim and thus presents a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to accept and fetch external image URLs for targeting (see "Use a Reference Image for Precise Targeting" with an images.url example like https://github.githubassets.com/... and convertHttpImage2Base64) and also shows launching arbitrary http(s) URIs, so the agent ingests untrusted public web content and uses it to decide actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires a runtime MIDSCENE_MODEL_BASE_URL (e.g., https://generativelanguage.googleapis.com/v1beta/openai/, https://dashscope.aliyuncs.com/compatible-mode/v1, https://openrouter.ai/api/v1, or https://ark.cn-beijing.volces.com/api/v3) to call remote model APIs whose outputs directly drive the agent's prompts/actions, so these endpoints are runtime dependencies that control behavior.