fully-kiosk

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt repeatedly shows examples that embed passwords and API tokens verbatim into URLs, curl commands, YAML/device files, and CLI flags (e.g., &password=YOUR_PASSWORD, devices.yaml password fields, --token YOUR_API_TOKEN), which would require an LLM to output actual secret values if populated—posing direct exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's runtime docs and commands (SKILL.md and reference.md) explicitly allow loading arbitrary external URLs and resources—e.g., loadUrl, importSettingsFile (JSON URL), playSound/playVideo URL, loadApkFile and web automation/jsInjectionOnLoad—so untrusted public web content can be fetched and materially change device behavior.