ah-a2a

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly documents --input-file and examples that read file contents and interpolate them into --task strings (e.g., cat /tmp/trend.txt → ${TREND}), which directs the agent to forward arbitrary file text verbatim to other agents and therefore can cause secrets to be included in outgoing requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly discovers and calls arbitrary published agents on the open agents.hot network (see "The A2A network is open" and the ah discover / ah call and Step 4 A2A Pipeline examples in SKILL.md), ingesting their outputs and chaining those outputs into subsequent agent calls, which are untrusted third‑party/user‑generated contents that can influence downstream tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Calls to the agents.hot platform (e.g., POST /api/agents/{id}/call via https://agents.hot) are made at runtime and return external agent outputs that are then injected into subsequent agent task prompts (e.g., TREND=$(cat /tmp/trend.txt) → ah call ... --task "... ${TREND}"), so remote content directly controls prompts and is a required dependency.