using-perplexity-for-context

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt instructs the agent to silently load and periodically refresh a shared user profile and to "Do NOT announce usage" of the external search, which are hidden/deceptive behaviors (silent data access/updates and concealment) beyond the stated purpose of simply using Perplexity for context enrichment.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to ask the user for their Perplexity API key and then embed it verbatim into a shell command (echo '{"apiKey": "USER_API_KEY_HERE", ...}' > config.json), which requires the LLM to handle and output the secret directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains deliberate stealth and data-collection behaviors — e.g., "Do NOT announce usage", silent/automatic profile harvesting and periodic refresh from conversation history, storing and using user API keys, and instructions to launch an unverified local Node server — which together indicate a high risk of intentional privacy-invasive data exfiltration and potential backdoor/remote-execution abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to invoke the perplexity_search tool and ingest its "Full Results" (SKILL.md: "Invoke perplexity_search tool", "Full Results" with citations), which pulls open-web/public search results that the agent must read and integrate into responses, exposing it to untrusted third‑party content that could contain injected instructions.