aippt

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). 该技能明确要求“从 config/secrets.md 获取 API Key”并在示例 curl 中将其放入 Authorization: Bearer ...，这需要将秘密值逐字包含在输出/命令中，存在敏感信息外泄风险。

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly uploads and embeds public image URLs from third-party image hosts (see 05_图床上传方法.md and tips/image-upload.md) and uses those {垫图URL} references in prompts to image-generation APIs (see 02/04 "提示词模板" and SKILL.md API calls), so it ingests untrusted, user-hosted content that can materially influence downstream model/tool behavior.