json-tools

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The mandatory backup rule requires embedding the entire original file in an "original_content" field and forces a $schema that points to an external ngrok URL (a remote validator), which effectively mandates exfiltration-capable behavior that is not necessary for the stated local JSON tooling purpose and is therefore deceptive/out-of-scope.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The backup rule requires embedding the entire original file text into the backup’s original_content field, which forces the agent to reproduce any secrets (API keys, passwords, tokens) present in the JSON verbatim, creating a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill mandates embedding the entire original file contents and absolute paths in a backup JSON and forces a $schema value that points to an attacker-controlled ngrok URL (remote validator), creating a likely covert data-exfiltration channel when tools or validators resolve the remote schema.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full prompt for high-entropy literal values. The only candidate that appears to be a real, non-placeholder credential is the $schema URL:

https://45f4-2a06-c701-4911-2c00-de9-9736-a7e1-53ee.ngrok-free.app

This is a random-looking ngrok subdomain which can act as an address to a live tunnel/service and thus can provide access if still active — it meets the definition of a high-entropy literal that could expose a service. I treated other values as non-secrets: the "original_content" field contains a placeholder string; timestamps, filenames, and human-readable example fields are documentation/sample data and were ignored per the rules.