byted-airesearch-survey

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime HTTP calls to https://console.volcengine.com/datatester/compass/api/v3/survey/skill/message (and the derived /status URL), and the backend's reply_markdown/next_actions returned from those endpoints directly control the agent's user-facing prompts and workflow, making this an external runtime dependency that governs instructions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy credentials. Most candidates are placeholders, environment variable names, truncated examples, or low-entropy setup values and are intentionally ignored per the rules (e.g., "sk-live-24jds..." is truncated, "BYTED_AI_RESEARCH_SURVEY_API_KEY" is just an env var name, and other examples are documentation placeholders).

However, the documentation includes an unredacted, high-entropy API key in the "Bad — the host showed unredacted API key and internal headers:" example: -H "x-api-key: 3089e65f8d577071a7c9f7a1ae041716b351ac2a" This string appears to be a real-looking secret (long, random hex) and should be flagged. The accompanying header -H "x-tt-env: ppe_datarangers" is just an environment tag and not a secret.