quark-search

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs extracting and then embedding share secrets (stoken) and user-provided extraction codes/passcodes directly into generated curl commands/URLs, which requires the LLM to output secret values verbatim and creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and parses results from public PanSou endpoints (https://s.panhunt.com/api/health and /api/search) and public Quark share pages (https://pan.quark.cn/...), consuming untrusted, user-generated third-party content as part of its required workflow to decide which links to validate and to trigger save/download actions in the Quark app.