fresh-auth

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to capture and send the exact verification URL and code verbatim (do not paraphrase), which requires outputting an ephemeral secret/token directly through the LLM.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's CLI scripts (scripts/office-cli.js and scripts/notion-query.js) call the auth proxy at AUTH_SERVICE_URL (default https://auth.freshhub.ai) to fetch Microsoft Graph data (emails, OneDrive files, calendar, people) and Notion pages — these are untrusted, user-generated third‑party contents that the agent reads/parses (e.g., mail bodies, file/text content, Notion blocks) and uses to decide or drive follow‑on actions like sending mail, creating/updating pages, or converting content, so they could enable indirect prompt injection.