social-media-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill repeatedly requires reading API keys, tokens, and secret credentials from HAP and then embedding them into API calls and SDK requests (including URL query params and request bodies), which forces the LLM to handle and potentially output secret values verbatim—an explicit high-risk exfiltration pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests open web content from third‑party services (e.g., Tavily search API and the orz.ai dailynews endpoint) as required steps in the SKILL.md workflow and uses those results (titles, URLs, descriptions, search results) to drive content generation, topic selection, and publishing decisions, creating a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill dynamically calls the HAP MCP endpoint (e.g., https://api.mingdao.com/mcp?HAP-Appkey=...) at runtime to read the "账号人设" (account persona) records which the skill requires and which directly control generation prompts/instructions (content_style, content_principles, image_generation_prompt), so this external URL is a runtime dependency that influences agent prompts.