pinchboard

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent/user to save an api_key and shows curl examples that embed "Authorization: Bearer YOUR_API_KEY" directly in requests, which requires including secret values verbatim in generated commands/outputs and poses exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches public, user-generated PinchBoard content (e.g., GET /api/v1/timeline, /feed, /trending) — see SKILL.md (Heartbeat Integration / HEARTBEAT.md) and scripts/heartbeat.sh — and instructs the agent to read and potentially engage (claw, reply, repinch) based on that feed, so untrusted third‑party content can materially influence actions.