open-terminal-guide

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt contains examples and instructions that place API keys/tokens inline (CLI flags, env vars shown with literal placeholders, Authorization headers, and WebSocket first-message auth), which encourages embedding user secrets verbatim in generated commands or outputs even though it also mentions safer secret-file/env-file options.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill documents runtime endpoints that fetch and ingest arbitrary external URLs (POST /files/upload with a "url" field) and exposes those files for reading/execution (GET /files/read, /files/view) and even notebook execution with an overridable "source" (POST /notebooks/{session_id}/execute), with implementation notes (references/architecture.md) showing httpx is used for URL downloads — meaning untrusted third‑party content can be fetched and then read/interpreted by the agent as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The quick-start Docker command pulls and runs the container image ghcr.io/open-webui/open-terminal (ghcr.io/open-webui/open-terminal), which fetches and executes remote code at startup and is presented as the recommended/runtime deployment method for this skill.