pubnub-live-voting

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires including PubNub publish/subscribe keys in SDK initialization and examples, which forces the agent to insert API key values (or request and echo them) verbatim in its output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill ingests and acts on real-time, user-published messages (untrusted user-generated content) from PubNub channels such as poll..votes, poll..results, poll..admin and polls.directory (e.g., votes, meta, and admin messages are read/subscribed and processed by Before Publish Functions and client listeners), which could enable indirect prompt-injection if adversarial content is published to those channels.