context-recovery

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly instructs reading session/channel message content and to quote user requests (via jq/tail and synthesized "quoted request"), so if those messages contain API keys, tokens, or passwords the agent would output them verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md Execution Protocol Step 2 ("Fetch Channel History" using message:read for Discord/Slack/Telegram/Signal) explicitly instructs the agent to read and parse user-generated channel histories and then synthesize that content to decide next actions, exposing it to untrusted third-party content that could carry indirect prompt injections.