word-stats

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill must reproduce parts of the user's input verbatim (e.g., "Longest word" and other word outputs), so if the input contains API keys or passwords it will echo them, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests arbitrary user-provided text via "$ARGUMENTS" (SKILL.md input) and processes it for statistics, so untrusted third-party/user-generated content could be read and enable indirect prompt injection.