triage-finding

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs the agent to read and reproduce user-supplied content (e.g., "Original" full post text, full transcripts, or saved idea notes) and to write those verbatim into notes/files or output, so any secrets contained in the input would be copied and emitted unchanged.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and README explicitly instruct the agent to fetch and read arbitrary website/article links (via WebFetch), GitHub repos (gh/WebFetch), YouTube transcripts (youtube-transcript-api/Exa), and user posts/screenshots—public, user-generated sources—which the agent parses and uses to make recommendations, creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches YouTube transcripts at runtime (e.g., https://youtube.com/watch?v=...) using the youtube-transcript-api and then injects that fetched transcript into a background agent for processing, meaning external content from that URL is loaded at runtime and fed into the model context which can directly control prompts.