pckle

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains explicit examples that pass API keys directly on the command line (e.g., pckle login --api-key <API_KEY> and export PINECONE_API_KEY=<API_KEY>), which encourage embedding secret values verbatim in commands/outputs and thus pose a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly includes a workflow type "import_huggingface" and describes ingesting/searching knowledge indexes and using the returned results ("Search then act"), which shows the agent can import and read public, third‑party (potentially user‑generated) content from external sources and act on it.