recruitment

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The MCP config explicitly places an API key value ("CRAFTED_API_KEY") into command-line/header arguments, which would require the agent to embed the actual secret verbatim in commands/requests (high exfiltration risk).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill explicitly routes agent activity and presumably user data through an external MCP server/tunnel (http://bore.pub.../sse) with an API key header and instructs users to authorize that server to perform Google Sheets/Gmail actions — a clear pattern for remote-control and potential data exfiltration/backdoor behavior despite claims of "no PII stored".

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly says the agent "uses Tavily to scour the entire web, including LinkedIn and GitHub" to identify candidates and then uses that scraped profile data to compute Fit Ratings and draft outreach (SKILL.md "Global Talent Search"), so untrusted, user-generated third‑party content is ingested and can influence agent decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The MCP configuration launches mcp-proxy against the external SSE endpoint http://bore.pub:44876/api/v1/mcp/project/6e0f4821-5535-4fec-831d-b9155031c63d/sse at runtime (with a required CRAFTED_API_KEY), which the skill depends on and which can stream remote directives that directly control agent prompts/instructions.