setup-tooluniverse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt tells the agent to ask the user for API keys and then insert those keys directly into config blocks and CLI commands (e.g., JSON "env" entries and export lines), which requires the LLM to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly instructs the agent to query and ingest public third‑party databases (e.g., "ToolUniverse connects to 2,000+ scientific databases" and commands like execute_tool("PubMed_search_articles", ...) / tu.run PubMed_search_articles), and the agent is expected to read/summarize those external results which can materially influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs running a remote install script (curl -LsSf https://astral.sh/uv/install.sh | sh) which executes fetched code, and also clones https://github.com/mims-harvard/ToolUniverse.git at runtime to install skills that control agent behavior—both are runtime fetches of external code the setup relies on, so they present a high-risk execution vector.