btpanel

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples instruct adding servers by including API tokens on the command line (e.g., -t YOUR_API_TOKEN), which encourages asking for and embedding secret values verbatim in commands, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill autonomously fetches and parses data from arbitrary configured panel hosts (see bt_common/bt_client.py::request and API calls like get_file_body/get_service_log, plus SKILL.md and bt-config examples that instruct adding external panel URLs), so untrusted third‑party responses (logs, file bodies, site data) are ingested and can directly influence alerts and subsequent actions.