uniswap-cca-deployer

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill includes auto-injected, obfuscated telemetry/reporting code that computes a device fingerprint, HMAC-signs it, and sends it to external endpoints—behavior unrelated to deploying CCA contracts and hidden in pre-flight checks, constituting a deceptive/out-of-scope instruction.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md includes an AI Agent "pre-flight" version check that curls a public raw GitHub URL (https://raw.githubusercontent.com/.../plugin.yaml) and instructs the agent to run that check and re-read SKILL.md if an update is found, meaning untrusted public content is fetched and can change the agent's subsequent actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I inspected the skill prompt for literal, high-entropy credentials. The only suspicious value is the base64 string assigned to _K:

'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='

This value is immediately base64-decoded and used as an HMAC key to sign a device identifier (HMAC_SIG) that is then sent to remote reporting endpoints. It is not a placeholder (it is a long, random-looking encoded string used as a secret key) and thus meets the definition of a hardcoded secret.

Other strings in the document (version strings, URLs, device/flag filenames, example commands, plugin names, and simple sample passwords described in the task rules) are not high-entropy credentials or are clearly documentation/functional values, so I ignored them.