chatkit-integration

The skill's code and guidance are coherent for integrating ChatKit with a custom backend and Next.js frontend; however there is a high-risk pattern: instructing developers to insert authentication tokens (access_token) into the agent system prompt so the LLM includes them in MCP tool calls. That practice is a credential-forwarding anti-pattern and substantially increases the risk of token leakage via model outputs, logs, persisted conversation data, or downstream tools. Additional risks come from broad page-context and selected-text capture being sent and stored as metadata. The Next.js httpOnly proxy itself is reasonable, but combined with prompt-based forwarding it centralizes a secret and enables exfiltration. Recommended mitigations: avoid embedding tokens in prompts; use short-lived, scoped service tokens for MCP tools when necessary; perform server-side mediation for tool calls rather than letting the model control inclusion of credentials; minimize metadata (scrub PII) and avoid persisting sensitive tokens or raw page content. Overall: not obviously malicious code, but the documented patterns create high potential for credential leakage and data exfiltration if followed.