chatkit-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs extracting access tokens and injecting them into the system prompt with a CRITICAL instruction that the LLM "MUST ALWAYS include" the access_token (and user_id) in MCP tool calls, which forces the model to handle and output secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly extracts and injects arbitrary page/DOM content into agent prompts (see getPageContext in ChatKitWidget/index.tsx and the server respond() which uses context.metadata.pageContext to build the agent instructions), and it also loads an external ChatKit script from a CDN—so untrusted, user-generated webpage content is read and directly influences agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill loads and depends at runtime on the external script https://cdn.platform.openai.com/deployments/chatkit/chatkit.js (via Next.js beforeInteractive), which is fetched and executed in the browser to define the openai-chatkit web component required for the UI, so it is a runtime external dependency that executes remote code.