settings

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill defines a set-hiro-api-key subcommand that takes an API key as a CLI argument and stores it in a plaintext config (and could prompt the agent to ask for and embed the key verbatim), which encourages exposing secrets directly (CLI args and config entries are high-risk ways to handle secrets).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the settings.ts skill directly fetches and ingests JSON from open/public third-party endpoints (notably the user-controllable check-relay-health fetch to ${relayUrl}/health in the check-relay-health command, plus calls to https://api.hiro.so and the public npm registry), and that returned content is parsed and used to compute the agent's "healthy"/"issues"/updateAvailable outputs which can materially influence decisions.