link-to-im

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the agent to collect API tokens/secrets from the user and write them into config files and run validation commands (while only masking secrets in user-facing output), which requires the LLM to receive and embed secret values verbatim in tool/file-writing or command invocations — creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and forwards arbitrary IM messages and attachments from public/untrusted platforms (Telegram, Discord, Feishu/Lark, QQ, WeChat) into the bridge and LLM pipeline—injecting attachments/paths into prompts and triggering tool calls—as documented in SKILL.md, README.md ("How It Works" and "File Attachment Handling"), and the agent-to-im-core development docs, so untrusted third‑party content can materially influence agent actions.