web-search

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes an example that embeds an API key directly in a curl request (https://serpapi.com/search.json?...&api_key=API_KEY), which instructs placing secret values verbatim into generated commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs performing web searches (DuckDuckGo HTML/API, SerpAPI) and fetching arbitrary public pages with WebFetch or curl (e.g., WebFetch(url="https://example.com/article")), so the agent will ingest and interpret untrusted third‑party web content that can influence its actions.