beopsuny

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to obtain an OC code (from ~/.beopsuny/config.yaml or by asking the user) and embed it verbatim in WebFetch URLs (e.g., https://.../mcp?oc={OC코드}), which requires the LLM to handle and output an API credential directly, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly performs WebFetch/WebSearch against public third‑party sources (e.g., the lawmang API at https://api.beopmang.org, general WebSearch/web documents and backup WebFetch flows described in SKILL.md) and uses those untrusted/open-web results as required inputs that materially influence legal conclusions and next actions in its workflow.