bananahub

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes explicit CLI/config examples that pass API keys as --api-key arguments and show api_key fields in config JSON, which encourages the LLM to accept and embed secret values verbatim (exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and installs templates and catalog data from third-party sources (e.g., GitHub tarballs via the CLI "add" flow described in BANANAHUB.md and remote catalog files like https://bananahub.ai/catalog.json / catalog-curated.json referenced in references/hub-discovery.md), those templates are user/ community-provided, the agent is instructed to read/inspect them and use them to assemble prompts or drive generate/edit flows, and those remote templates can therefore materially change the agent's actions (install/use template → assemble prompts → call generation/edit), so it exposes the agent to untrusted third-party content that could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime discovery/install flows explicitly fetch BananaHub catalogs and remote template repos (e.g., https://bananahub.ai/catalog.json) and then load template.md bodies or GitHub tarballs which are parsed into prompt/workflow templates that directly control agent prompts and behavior.