ray-so-code-snippet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill mandates embedding the user's code verbatim (base64 then URL-encoded) into generated URLs/commands, so any secrets present in that code would be output in reversible form and thus exposed.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill fetches and parses theme/language files directly from a public GitHub URL (https://raw.githubusercontent.com/raycast/ray-so/...) and also loads a third-party JS library from the jsdelivr CDN during runtime, so the agent ingests and interprets open/public third-party content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill loads and executes remote JavaScript at runtime from https://cdn.jsdelivr.net/npm/html-to-image@1.11.11/dist/html-to-image.js (injected/executed via agent-browser) and also fetches prompt-control data at runtime from raw GitHub URLs like https://raw.githubusercontent.com/raycast/ray-so/main/app/(navigation)/(code)/store/themes.ts which is parsed to populate user-facing options, so both are required runtime dependencies that execute remote code or directly control prompts.