latitude-telemetry

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask the user to paste the LATITUDE_API_KEY (and other env values), which requires the LLM to receive secrets and likely embed them in configuration/commands or outputs, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches prompt templates and runtime instructions from Latitude (e.g. via the Run a Prompt endpoint / SDK which use https://gateway.latitude.so), so remote content retrieved at runtime directly controls the agent's prompts and is a required dependency in the prompt-manager / gateway flows.