cargo-cli-ai

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes an explicit example of passing an API token directly on the command line (cargo-ai login --token <your-api-token>), which encourages embedding secret values verbatim in commands and thus creates a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly allows attaching arbitrary uploaded files to agent releases (see "cargo-ai ai file upload" and adding files via "cargo-ai ai release update-draft --resources") and configuring custom MCP clients by URL (see "mcp-clients" / custom MCP server examples), which the agent will read/call to ground responses or invoke tools—exposing it to untrusted third-party content that can influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly shows configuring custom MCP clients (e.g., "https://mcp.example.com") which agents call at runtime to invoke external MCP tools — allowing that external URL to execute actions and directly influence agent behavior.