paywall-editor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks for a pairing code (a short-lived authentication secret) and instructs the agent to embed it verbatim into CLI commands like scripts/sw-editor.sh attach <pairing-code>, which requires the LLM to handle and output a secret value directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill attaches to a live browser editor via the relay (DEFAULT_BASE_URL https://mcp.superwall.com) and explicitly fetches the browser's tool list and runtime data through the attach/tools/call endpoints and workflow tools like get_subtree, get_screenshot, and get_products, meaning it reads and acts on arbitrary user-generated editor content (untrusted third‑party content) that can materially influence subsequent tool calls and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill makes runtime requests to the external relay at https://mcp.superwall.com (DEFAULT_BASE_URL) to claim sessions and fetch live tool definitions/control tokens that directly determine which tools/commands the agent can invoke, and the skill requires that remote content to operate.