pachca-forms

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill requires sending an Authorization: Bearer <ACCESS_TOKEN> header and even instructs to ask the user for the token if unknown, which forces the agent to use (and potentially emit) the secret verbatim in requests/commands unless runtime environment variables or internal CLIs are strictly used.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's "Обработать отправку формы (view_submission)" workflow explicitly requires downloading files from data.field_name[].url provided in form submissions (links in the submit webhook), which are user-uploaded/untrusted third‑party content that the agent must ingest and can influence subsequent processing.