quick-game

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly instructs the agent to ask the user for a MESHY_API_KEY and "store for model generation", which requires the LLM to receive and subsequently use a secret (likely embedding it in API calls/config), creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public tweets as part of its core parsing flow ("Step 0: Parse arguments" — "If arguments contain a tweet URL: Fetch the tweet using the fetch-tweet skill") and then uses that user-generated content to drive the generated game concept and implementation decisions, exposing the agent to untrusted third-party content.