persona-knowledge

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill ingests and stores verbatim user data (with a PII scan but no redaction) and instructs the agent to emit direct quotes, wiki pages, and raw training exports, so any secrets present in sources would be read and likely reproduced verbatim in outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's ingestion pipeline (scripts/ingest.py) and adapters (adapters/social.py, adapters/chat_export.py, adapters/universal.py) explicitly parse user-provided and public social/archive content (e.g., data/tweets.js, Instagram JSON, WhatsApp/Telegram exports) and SKILL.md Phase 3 requires the agent to read MemPalace/wiki content derived from those untrusted, user-generated sources (and a listed WebSearch tool can fetch public data), so third‑party content is consumed at runtime and can materially influence the agent's wiki updates, exports, and downstream actions.