last30days-3

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly asks the agent to accept user-supplied secrets (AUTH_TOKEN/CT0, XAI_API_KEY, SCRAPECREATORS_API_KEY, BSKY_APP_PASSWORD, etc.), copy device codes to the clipboard, and write those values into ~/.config/last30days/.env (append/create), which forces the agent to handle sensitive secrets and creates a high risk that secrets could be echoed, embedded in commands, or exfiltrated even if the flow intends silent writes.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The code includes high-risk capabilities for credential access and remote control—browser cookie extraction (including decrypting Chrome cookies via Keychain), automatic injection of those tokens into the tool’s config, subprocess/node invocations using those credentials, writing/updating local .env files, and helper flows that copy codes to the clipboard or open browsers—so although there is no obvious obfuscated payload or explicit exfiltration routine, the combination of features enables easy theft/abuse of session tokens and remote account actions if misused or repurposed.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and ingests public, user-generated content (Reddit threads and comments, X/Twitter posts, YouTube transcripts, TikTok/Instagram captions via ScrapeCreators, Hacker News, Polymarket, and general web search) as part of its mandatory research workflow (see SKILL.md "Research Execution", "Step 1", "Step 0.55/0.75" and the "Security & Permissions" sections), so untrusted third‑party content is read and used to plan queries and syntheses and therefore could carry indirect prompt‑injection instructions.