invoice-extractor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that pass API keys directly as CLI arguments and in code (e.g., --api-key sk-xxx, api_key="your-key"), which encourages embedding secrets verbatim in generated commands/code and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill directly ingests arbitrary user-provided PDF/image files from the input path (cli.py → InvoiceExtractor.extract_batch / pdf_converter.convert_file) and embeds them as data:image base64 items in messages sent to the external VLM (invoice_extractor/vlm_client.py), so the agent will read and interpret untrusted third‑party content (user-supplied documents) as part of its workflow.