aif-reference

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs the agent to read local files and "preserve code verbatim" and include source content/paths in generated references, which would cause any API keys, tokens, or passwords present in those files to be output unchanged (creating exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Workflow Step 1 ("For URLs") explicitly instructs the agent to fetch web pages via WebFetch (and follow linked sub-pages and run WebSearch) and to ingest and synthesize that untrusted public web content into references that other AI Factory skills will read and act on, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill explicitly fetches user-provided web pages at runtime (e.g., https://zod.dev shown in the examples) via WebFetch and injects their content into generated reference files that are consumed as agent context/instructions, so remote URLs can directly control prompts.