building-chat-interfaces

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The SYSTEM_PROMPT is formatted with and instructs the assistant to include the user's access_token (and user_id) when calling MCP tools, which forces the LLM to receive and emit secrets verbatim and creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The frontend's getPageContext() scrapes the current page's meta/heading/main content (arbitrary public page content) and the custom fetch injects that pageContext into request metadata which the backend extracts as page_context and is intended to be included in agent instructions, so the agent will read untrusted third‑party page content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly injects and requires the runtime script https://cdn.platform.openai.com/deployments/chatkit/chatkit.js (via Next.js beforeInteractive), which executes remote code in the browser and is required for the ChatKit component to function.