ide-im

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the agent to collect API tokens/app secrets from the user and write them as KEY=VALUE into CTI_HOME/config.env (while only masking secrets in displayed summaries), which requires the LLM to handle and embed secret values verbatim in generated files/commands and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly forwards messages from external IM platforms to the AI ("How It Works" and README.md: "Messages from IM are forwarded to the AI agent") and injects workspace identity/memory files into session system prompts (references/identity-and-memory.md and templates), so untrusted, user-generated content from public IM chats and editable workspace files will be read by the agent and can influence tool use and actions (SKILL.md / README workflows describe permissioned tool calls based on chat), enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill and its CI steps explicitly run a remote install script via curl -fsS https://cursor.com/install | bash (and reference this as the required way to install the Cursor CLI used at runtime when CTI_RUNTIME=cursor), which executes remote code fetched at runtime and is relied on as a required dependency.