ghost-content-api

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to fetch published posts/pages from arbitrary Ghost sites via the Content API (e.g., GET https://{admin_domain}/ghost/api/content/{resource}/?key=...), which are public, user-generated web content the skill expects the agent to read (browse()/read() examples) and thus could contain instructions that materially influence subsequent actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full prompt for literal values that meet the "high-entropy, usable credential" definition.

Flagged:

• The JavaScript SDK initialization contains key: '22444f78447824223cefc48062' — this is a literal, non-placeholder, random-looking hex string (no ellipses or "KEY" placeholder). It appears to be an actual Content API key (read-only) and therefore meets the secret definition.

Ignored items and why:

• All occurrences of "KEY" in cURL examples are placeholders — ignored per the "Documentation Placeholders" rule.
• Truncated/example values like "5c7e...", "5b7...", "22e..." are redacted/truncated (contain ellipses) — ignored per the "Truncated/Redacted Values" rule.
• Demo domain (https://demo.ghost.io) and other non-secret strings are not credentials.
• The doc explicitly notes Content API keys are safe for public/browser use; however, the presence of an actual key string still qualifies as a literal credential and is therefore flagged.

Conclusion: a real-looking API key is present in the JS example and should be treated as a hardcoded credential.