setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask the user to paste their Claude/Anthropic token and then insert that token into .env (e.g., via echo "CLAUDE_CODE_OAUTH_TOKEN=" > .env), which requires the LLM to receive and embed secret values verbatim — a direct exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The setup reads and processes arbitrary WhatsApp messages (e.g., capturing chat JIDs from store/messages.db and registering WhatsApp chats/groups as the "main" control channel), so untrusted, user-generated content from those chats will be ingested and interpreted by the agent, enabling indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). This skill instructs the agent to create and load a persistent launchd service, install/start container runtimes, write persistent config files (including mount allowlists and .env with credentials) and run build/start commands that change the host environment and grant agent access to host files, which clearly modifies system state and can compromise the machine.