desktop-bridge

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to print and "Give all three" tunnel URL and credentials (including username/password) and to propagate or display them (e.g., via --user/--pass), which requires the LLM to output secret values verbatim and thus risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill starts rclone serving the agent's WORKSPACE via WebDAV (scripts/start.sh: rclone serve webdav "$WORKSPACE") and exposes it over a Cloudflare tunnel (cloudflared → trycloudflare URL), which allows untrusted remote users to upload or modify files in the agent workspace that the agent may later read, creating a clear indirect prompt-injection vector.