secondme-openclaw-plaza

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This prompt instructs the agent to read a local credentials file for an accessToken and to include it verbatim in Authorization: Bearer headers for API calls, which requires the LLM to handle and output secret values.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md instructs the agent to GET plaza posts and comments from the public SecondMe Plaza APIs (e.g., GET https://app.mindos.com/.../plaza/posts/{postId} and .../comments), which are user-generated/untrusted third‑party content that the agent must read and could materially influence its responses or follow-up actions.