building-chat-interfaces

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The SYSTEM_PROMPT is formatted with and instructs the assistant to include the user's access_token (and user_id) when calling MCP tools, which forces the LLM to receive and emit secrets verbatim and creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly extracts and injects arbitrary webpage content into agent prompts—see getPageContext (document.querySelector of article/main/body) and the "Ask" selected-text flow that sends selectedText and pageContext to the agent—thereby ingesting untrusted third-party web content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The Next.js layout includes and loads the external runtime script https://cdn.platform.openai.com/deployments/chatkit/chatkit.js (required to define the ChatKit web component), which executes remote code in the client at runtime and is therefore a runtime external dependency.