review-demos

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This prompt instructs the agent to read secret tokens from a .env file and then embed them verbatim into curl/API requests and Authorization headers, forcing the LLM to handle and output secret values directly and creating a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly WebFetches company websites from company.domainName.primaryLinkUrl and calls OpenBrand (https://openbrand.sh/api/extract?url=...) to extract brand colors and reads demo pages, and it then interprets that content to score/auto-fix demos and call APIs (update_widget_style, Supabase SQL), so untrusted third‑party pages can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly calls the InboxMate MCP endpoint (https://app.psquared.dev/api/mcp) at runtime to perform actions (update_widget_style, publish_agent) and to execute raw Supabase SQL via a plugin (mcp__plugin_supabase_supabase__execute_sql), which runs code/queries on remote infrastructure and is required for the auto-fix flow.