lf-discovery

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill enforces "fidelity" to inputs and explicitly asks about environment variables/credentials, saving and embedding input content verbatim into generated files (discovery.md and inputs/*), so any API keys or passwords provided will be output and persisted unmasked.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches user-provided public URLs via "WebFetch" in FASE 1 ("Se [1]: Use a ferramenta WebFetch para buscar o conteúdo da URL") and runs WebSearch in FASE 6 to gather market references, and those external, potentially user-generated pages are read and incorporated into the discovery workflow and decisions (discovery.md), allowing third-party content to materially influence agent actions.