proof

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to extract access tokens from URLs and embed them verbatim in HTTP headers and curl commands (e.g., x-share-token or Authorization: Bearer), which requires the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow explicitly instructs the agent to fetch and read user-created documents from public Proof URLs (e.g., via GET https://www.proofeditor.ai/api/agent/{slug}/state when given a https://www.proofeditor.ai/d/{slug}?token=... link), meaning untrusted third-party content is ingested and used to drive commenting/editing actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime calls to https://www.proofeditor.ai (e.g., /api/agent/{slug}/state and /api/agent/{slug}/ops) to fetch document state that the agent is instructed to use as the "source of truth" and then act on, so external document content can directly control the agent's prompts/behavior.