context-recovery

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly instructs reading session/channel message content and to quote user requests (via jq/tail and synthesized "quoted request"), so if those messages contain API keys, tokens, or passwords the agent would output them verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly reads and parses channel history via message:read from third-party messaging platforms (Discord, Slack, Telegram, Signal), ingesting user-generated/untrusted messages and URLs as part of its recovery workflow, which could enable indirect prompt injection.