ravi

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to store, retrieve, and transmit plaintext secrets (e.g., OTPs, API keys) and even shows examples like ravi secrets set OPENAI_API_KEY "sk-..." and states "You send and receive plaintext," which requires the LLM to handle and could cause it to output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). Although no obfuscated code or explicit remote backdoor is present in the documentation, the skill explicitly provides agents with real inboxes/phone numbers, automatic OTP/verification-link extraction, CRUD access to API keys and secrets, and identity/verification tokens—capabilities that directly enable credential theft, account takeover, and secret exfiltration if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and reads incoming, user-generated emails and SMS (see SKILL.md "Read incoming SMS or email" and the ravi-inbox/ravi-login OTP workflows), which are untrusted third‑party content that the agent is expected to interpret and can materially change actions (e.g., extracting OTPs, following links), so it clearly enables indirect prompt injection risk.