agno

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains examples that embed credentials verbatim (plaintext DB URLs with user:pass, Authorization: Bearer your-secret-key in curl, security_key="your-secret-key"), which would require the LLM to output secret values directly if real secrets were supplied.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows agents using web-search and web-scraping integrations (e.g., DuckDuckGoTools in the Quick Start and built-in tools/readers like Website Reader, Web Search Reader, YouTube Reader, NewspaperToolkit, and BeautifulSoupTools) which fetch and ingest public/untrusted web content that the agent is expected to read and use to influence actions and decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The documentation includes an explicit example tool named execute_trade(stock: str, amount: int) whose purpose is to "Execute a stock trade (requires approval)." This is a specific function to place market/stock trades (i.e., move financial assets), which falls under Direct Financial Execution (market orders). Even though it shows human-approval gating, the skill explicitly defines a callable that performs financial transactions.