memory-router

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill mandates querying local collections (including agent configs/auth) and returning document content/citations (e.g., via qmd --full, qmd get), which can force the model to include secret values from those files verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's routing algorithm in SKILL.md (Step 2 — RETRIEVE, for category D "external facts / live data") explicitly falls through to "web_fetch / browser" ("If low recall → web_fetch / browser"), so the agent will fetch and read open web content that can be untrusted/user-generated and influence subsequent actions.