agent-manager

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples and commands that pass passwords and access tokens as command-line arguments and instruct emitting the RESULT_ACCESS_TOKEN, which forces the agent/LLM to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The setup scripts (scripts/setup_agent.sh and scripts/matrix_register.sh) contact a configurable Matrix homeserver (HOMESERVER_URL), parse its JSON responses (user_id and access_token) and write them into the agent config—therefore the skill fetches and ingests data from arbitrary/untrusted Matrix servers (public, user-controlled), which can materially influence subsequent agent behavior (via credentials/bindings) as part of the required workflow.