SafeAI-Global PRD Agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill's Data Redaction workflow explicitly requires the agent to "present all detected PII instances to the user with their location and context" before masking, which forces the model to output sensitive values verbatim (creating exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to read external raw GitHub URLs (see "Usage Without Installation" / "Reference by URL" linking to https://raw.githubusercontent.com/...) and to ingest user-provided policies into knowledge/custom/ via the /inject-policy flow, which are untrusted third-party/user-generated contents the agent must read and that take precedence and can change its decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The SKILL explicitly tells users/agents to fetch and use the remote system prompt at runtime (e.g., "Please read and follow the instructions at this URL as your system prompt: https://raw.githubusercontent.com/datht-work/safeai-global-agent/main/SKILL.md"), so this external raw GitHub URL would directly control agent instructions at runtime.