youmind

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes explicit examples and a per-command --api-key sk-ym-xxx option (and a literal sk-... placeholder), which encourages embedding API keys directly in generated commands or outputs, creating a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill issues requests to the YouMind API (default endpoint https://youmind.com) via the youmind CLI (e.g., youmind search/youmind call) to fetch and manage user-generated content such as boards, notes, and picks, which the agent is expected to read and could therefore contain untrusted instructions that influence its actions.