context-recovery

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly instructs reading session/channel message content and to quote user requests (via jq/tail and synthesized "quoted request"), so if those messages contain API keys, tokens, or passwords the agent would output them verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Execution Protocol explicitly fetches and parses channel history via message:read from third-party messaging platforms (Discord/Slack/Telegram/Signal) in Step 2 and uses that user-generated content to synthesize context and drive next actions, exposing the agent to untrusted external content that could carry indirect prompt injections.