inboxmate-demo

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly requires using an "Authorization: Bearer " for MCP calls and tells the agent to ask a human for the token if it's not in an env var, which can cause the LLM to receive and embed a secret value into requests or generated commands (exposing it verbatim).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Phase 1 "Research the Prospect" workflow explicitly instructs the agent to use WebFetch to scrape public company websites (homepage, /about, /products, /pricing, /faq, /contact, etc.) and ingest that untrusted third‑party content into knowledge buckets and the agent's system prompt, which can directly influence agent behavior and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs at runtime to WebFetch arbitrary site pages (e.g., "https://[domain]/[page]" — homepage, /about, /pricing, /faq) and then injects that scraped content directly into knowledge items and the system prompt, so those external URLs can directly control agent prompts.