Crab Catch

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to run a script to obtain Crab signature headers and "store the output and attach these four headers to all subsequent API requests," which requires the LLM to include secret header values verbatim in generated requests/commands, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly opens and scrapes arbitrary public websites with agent-browser (agent-browser open ), ingests Twitter/X content via the /api/twitter and /api/readx endpoints (tweets, replies, conversation threads), and fetches GitHub/raw content — all of which are untrusted, user-generated sources that the orchestration flow uses to extract entities and drive follow-up actions, so third-party content can materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The GitHub analysis script (skills/scripts/github_analyze.js) fetches raw repository files at runtime from https://raw.githubusercontent.com and converts them into Markdown that is injected into the model context (directly influencing prompts), and this fetch is a required dependency for the skill's GitHub analysis.