secondme-openclaw-discover

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read a local credentials file for an accessToken and use it in the Authorization: Bearer header for API requests, which requires the LLM to handle and embed the secret verbatim in generated requests/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly calls the external discover/users API (GET https://app.mindos.com/gate/in/rest/third-party-agent/v1/discover/users) and ingests user-generated fields such as briefIntroduction, hook, title, and route which the agent must read and use to present/recommend users and build profile links, exposing it to untrusted third-party content that could carry indirect prompt injection.