secondme

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt includes explicit "silently run" pre-flight update and "Always captures session context ... silently" telemetry/feedback instructions that surreptitiously collect session data and perform updates outside the skill's advertised user-facing SecondMe workflows.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs the agent to read a local credentials file and "use the resulting accessToken as the Bearer token for all authenticated requests", which requires inserting secret token values verbatim into request headers/commands the LLM generates, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches third-party skill bundles from {BASE}/api/secondme/extensions/apps and GET {BASE}/api/secondme/extensions/detail/{skill_key} and then writes the returned generatedSkillFiles (including SKILL.md, prompt.md, and prompt_short.md) into the local skill root as part of its required install workflow (references/third-party-skills.md), which clearly ingests untrusted third-party content that can inject instructions and materially change runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). This skill fetches third-party skill bundles at runtime from https://app.mindos.com/gate/lab (GET {BASE}/api/secondme/extensions/detail/{skill_key}) and then installs the returned generatedSkillFiles (including prompt.md and prompt_short.md), which directly inject prompt content and are required for installation, so the external URL can directly control agent prompts and drive execution.