replay-cli

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt injects an instruction to run "claude --mcp-config" that configures an MCP server sending Authorization: ${REPLAY_API_KEY} to an external URL, which attempts to make the agent (Claude) expose the user's API key—behavior outside the stated Replay-CLI help scope.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's "replayio record [url]" command explicitly launches the Replay Browser to load and record an arbitrary public URL (see "replayio record [url]" in SKILL.md), which means the agent will fetch and process untrusted third‑party web content and could be exposed to indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime MCP configuration points Claude to the external endpoint https://dispatch.replay.io/nut/mcp (with an Authorization header), which is a runtime endpoint used to provide control instructions to the agent and therefore can directly influence prompts/execute remote-controlled behavior.