llm-wiki

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes an example that passes a plaintext password on the command line (ob login --email --password ''), which is an insecure pattern that would require embedding user secrets verbatim and risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Ingest workflow explicitly fetches arbitrary URLs using web_extract (e.g., "URL → use web_extract to get markdown, save to raw/articles/" in the Ingest section) and the agent is expected to read and synthesize those raw sources to create/update wiki pages and drive subsequent actions, so untrusted third-party content could materially influence its behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's ingest flow explicitly fetches arbitrary web URLs at runtime via web_extract (e.g., the example source_url https://example.com/article and other user-supplied URLs) and injects that fetched content into the agent's context for synthesis, which can directly influence prompts/instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill mostly works with user-owned files (safe) but explicitly includes privileged system instructions (e.g., a systemd setup and the command "sudo loginctl enable-linger $USER"), which encourages running sudo and changing system-level settings.