metaculus

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly instructs the agent to fetch and ingest user-generated Metaculus content (e.g., GET /api/posts/ and GET /api/comments/ in SKILL.md) and to read community predictions and comments to inform forecasts and submissions, which could allow untrusted third-party content to influence the agent's decisions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy credentials. The doc contains one concrete token-like value in the "Using the Token" example:

  Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b

This is a 40-character hex string (high entropy, not a placeholder) and is presented as a literal token in an Authorization header — a usable credential pattern. Therefore it should be flagged.

Other values in the doc that might look related were ignored:

• METACULUS_API_TOKEN=your-token-here — documentation placeholder, not a secret.
• Examples referencing $METACULUS_API_TOKEN or environment variable names — these are just variable references (no secret value provided).
• Generic example keys like "sk-live-24jds..." mentioned in the definition are illustrative and not actual tokens in the prompt.

Given the presence of the literal 40-hex token in the Authorization example, this qualifies as a hardcoded, high-entropy secret.