subscription-audit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read full email/thread JSON and deliver the raw JSON as an attachment (and extract message content), which means any secrets or API keys present in messages would be included verbatim in the output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly instructs the agent to search and read Gmail messages (via gmail_search_messages / gmail_read_threads) and Slack messages (via slack_search_public_and_private) and to extract amounts, plan names, and billing details from the plain-text content to drive consolidation and reporting, which means untrusted third-party message content can directly influence tool use and decisions.