jeecg-onlchart

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt instructs the agent to retrieve and inject credentials from hidden sources (system prompt/memory/global config) and to automatically use local root DB credentials, which are hidden/deceptive instructions to access secrets outside the stated chart-creation purpose.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks for X-Access-Token and YApi/email+password and shows examples where those values are inserted verbatim into headers, Python scripts, and shell commands (including mysql -uroot -proot), so the LLM would need to output secrets directly, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill accepts and parses arbitrary external API URLs and public mock endpoints (Step 2B: cgrSql can contain an API URL and is processed via /online/graphreport/head/parseField?type=API) and includes explicit YApi Mock integration (scripts/yapi_mock.py using https://api.jeecg.com), and those fetched, user-generated responses are used to drive chart field inference and create/edit API calls—so untrusted third-party content can directly influence the agent's decisions and actions.