cold-outbound-optimizer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks the user for an Instantly API key and explicitly instructs running commands like python3 scripts/instantly-audit.py --api-key <KEY>, which requires embedding the secret verbatim into generated commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the skill's scripts/competitive-monitor.py explicitly fetches and scrapes public competitor pricing and blog pages (via fetch_url using URLs from the --config / COMPETITORS_CONFIG or built-in competitors), then parses that untrusted web content into reports that materially influence recommendations and next actions.