ghost-webhooks

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that embed API keys or JWTs directly in code and curl headers (e.g., key: '{id}:{secret}', -H "Authorization: Ghost {jwt-token}"), which encourages the agent to output secret values verbatim and thus presents a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests public, user-generated content via Ghost webhooks and the Content API (see "Webhook Payload" and "Webhook Receiver Example" plus "JavaScript SDKs" -> Content API where posts.browse and api.posts.read are used) and uses that data to trigger actions (rebuilds, notifications, CRM sync), so third-party content can materially influence agent behavior.