The Agent Skills Directory

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 0.90). The prompt includes an explicit telemetry API key and describes/exemplifies token extraction and injection (e.g., passing a Bearer token into WebSocket headers and flows that "extract token" and "inject with token"), which encourages reading and embedding secrets verbatim in commands or requests.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 1.00). The content contains explicit, actionable instructions for IPC injection (Electron DevTools/CDP), token extraction and reuse, direct WebSocket connections for sending audio/transcripts, and coordinated flows for intercepting and exfiltrating data—behaviors that enable credential theft, remote code execution and data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs connecting to and reading from a public WebSocket endpoint (wss://aqua-realtime.fly.dev) and REST endpoints (https://aqua-server.fly.dev), including receiving transcripts via ws.recv() and monitoring the stream, which means the agent will ingest untrusted, user-generated third-party content as part of its workflow and that content could influence actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I looked for high-entropy, literal values that could provide access to a service and ignored obvious placeholders, simple setup passwords, truncated/redacted strings, and mere environment variable names.

Findings:

The PostHog entry "phc_N50q2qpNMS9QjJe1gBOQekcPH0wO8x6ZerI95Xi6meO" is a high-entropy literal token (prefixed with "phc_") and appears to be an actual telemetry/project API key. This meets the definition of a secret and should be treated as sensitive.
The Sentry entry "o1143996.ingest.us.sentry.io" is just a hostname/ingest endpoint (no DSN or public key included) and is not a secret — ignore.
Other values (endpoints like *.fly.dev, localhost URLs, parameter named token, example code snippets, simple strings) are either domain names, placeholders, or non-sensitive and were ignored per the rules.

Therefore a real high-entropy credential is present (the PostHog token).

MEDIUM W013: Attempt to modify system services in skill instructions.

Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly describes and instructs IPC injection, enabling remote debugging/DevTools CDP attacks, token extraction, and WebSocket injection to bypass app controls and manipulate a local application's runtime state, which constitutes actively compromising the machine/application security.

aqua-voice-malleability