typo3-powermail

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit examples that embed API credentials in configuration (e.g., apiKey = secret123 in TypoScript/finisher config), which encourages the LLM to output secret values verbatim and thus constitutes insecure credential handling.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill documentation (SKILL.md) explicitly shows runtime integrations that send and ingest data from external URLs—e.g., the SendParametersFinisher configuration (apiUrl = https://crm.example.com/api) and the Custom SpamShield ApiCheckMethod calling an external API—so the agent can receive and act on third‑party responses that materially influence behavior.