ctx

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows passing and storing authentication cookies/headers via CLI (e.g., ctx site set example.com Cookie "sid=abc; token=xyz"), which requires embedding secret token values verbatim in commands/configuration and therefore risks secret exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and renders arbitrary https/github/file URLs and can crawl/scrape public sites (e.g., SKILL.md commands "ctx read ", "ctx scrape ", "ctx crawl ", and references/json.md) and then uses that content (including via ctx json prompts) as part of its workflow, exposing the agent to untrusted third-party/user-generated content that could carry indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill fetches arbitrary HTTPS and GitHub URLs at runtime (e.g., github://owner/repo@ref/path and https://github.com/.../blob/...) and commands like ctx json <url> will load that remote page content and pass it to the configured AI model as the extraction context, which effectively allows remote-hosted content to control model inputs and thus agent behavior.