openkakao-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes CLI examples and flags (e.g., --webhook-header 'Authorization: Bearer ...' and --webhook-signing-secret '...') and discusses managing tokens, which encourages embedding user-provided secrets verbatim into generated commands or outputs, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill content is not overt malware but exposes multiple high-risk abuse surfaces — explicit support for sending chat content to remote webhooks, arbitrary hook-cmd execution, extraction/polling of tokens from Cache.db (login --save, watch-cache), non-interactive/ unattended sends, and guidance for launchd/cron persistence — any of which can be used for data exfiltration, credential theft, remote code execution, and persistent backdoors if misused or operated without user consent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md clearly instructs the agent to read and watch KakaoTalk messages (e.g., openkakao-rs loco-read, openkakao-rs watch) and to deliver those user-generated chat events to external endpoints or local commands (--webhook-url, --hook-cmd), so untrusted third-party message content is ingested and can influence subsequent actions.