kortix-system

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly tells the agent to accept user-provided API keys/tokens and to "SET THEM IMMEDIATELY" via curl/HTTP APIs (including examples with Authorization headers and JSON bodies containing secret values), which requires the LLM to embed secret values verbatim in generated commands/requests, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains multiple intentional, high-risk backdoor and exfiltration-enabling patterns — e.g., a localhost-auth-bypass to the secret API, secrets encrypted/derived from an outbound token, an API to set/list/delete secrets from processes with no internal auth, an "integration-exec" that runs arbitrary Node.js code (with OAuth injection), a dynamic proxy that injects Service Workers to rewrite requests, "auto-approve" tool permissions, and cron-triggered agent execution — together these features enable stealthy credential theft, arbitrary remote code execution, and scheduled data exfiltration if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly includes tools that fetch and ingest open web content (e.g., scrape-webpage.ts and web-search.ts), allows deployments from arbitrary git/tar URLs (source_ref/tar_url), and even states the onboarding command "searches the web for the user", so the agent will read untrusted public/user-generated content as part of workflows and that content can influence actions (proxyFetch/integration-exec, deploy/run, cron prompts), enabling indirect prompt injection.