persona

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask the user to copy bearer tokens and to run commands embedding the token (e.g., save-token.sh --token <bearer_token>), which requires the LLM to receive and emit secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill fetches and ingests user-generated posts from X (Twitter) using the capture.sh / setup-token.sh flow and X API token (described in SKILL.md) to build persona profiles that the LLM reads and uses when generating drafts (draft.sh), so untrusted third-party content from X can materially influence agent behavior and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches user posts from the X API at runtime (see the developer portal link https://developer.x.com/en/portal/dashboard) and recent git commits via GitHub (requires GITHUB_TOKEN) which are injected into the LLM context to build persona profiles and directly shape the prompts, so those runtime API endpoints constitute external content that controls prompts.