autonomous-agent-patterns

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes tools (ReadFileTool, ContextManager.add_file/add_folder, format_for_prompt, and ReadFileTool outputs) that unconditionally read file contents into the agent's prompt/history and return them as outputs, which can expose secrets and cause the LLM to include secret values verbatim in generated outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill fetches and ingests arbitrary public web content (e.g., ContextManager.add_url uses requests.get to pull URL content, BrowserTool.open_url/get_page_content load pages, and VisualAgent.describe_page sends screenshots to the LLM), so the agent will read and interpret untrusted third‑party content that could enable indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill defines and encourages tools that read/write/edit arbitrary filesystem paths, execute shell commands, and generate/install executable MCP servers (including writing and hot-reloading code), while its safeguards (permission levels, sandbox) are incomplete or optional—so it can be used to modify system files, create services/users, or run privileged actions that compromise the host.