free-mission-control

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs users/agents to run a script with an explicit --api-key YOUR_KEY command-line argument (and to copy an API key from missiondeck.ai), which requires embedding the secret verbatim in commands — an insecure exfiltration pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Telegram → Mission Control Auto-Routing" section (agent-bridge.js watching OpenClaw session JSONL files) shows the system ingests arbitrary Telegram user messages (untrusted user-generated content) and turns them into task cards that agents read and act on, so third‑party content can influence agent behavior.