voice-calibrator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly requires copying user-provided samples and "exact quotes"/phrase fingerprints into generated SKILL.md and outputs (no sanitization), so any secrets present in those samples would be reproduced verbatim by the LLM, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's required Step 1 "COLLECT Samples" in SKILL.md explicitly instructs gathering and ingesting large numbers of public, user-generated samples (e.g., "Reddit comment history", "HackerNews comments", "Forum posts", "Blog posts") which the analyzer and SKILL.md generation must read and use to drive profile creation and subsequent tool actions, exposing the agent to untrusted third‑party content that can influence behavior.