wachi

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and instructs embedding API tokens and LLM keys verbatim in apprise URLs and config files (e.g., slack://xoxb-token, "api_key: "sk-..."") and would require the agent to accept and output those secret values in generated commands/config — an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most links are benign (official GitHub, YouTube, Hacker News, example.com), but the presence of a direct raw.githubusercontent.com install.sh and explicit curl ... | sh install instruction is a high‑risk distribution vector that could deliver malware if the script or repository is untrusted or compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). wachi explicitly subscribes to and fetches arbitrary public URLs (via wachi sub <apprise-url> <url> and RSS discovery) and uses an agent-browser + LLM to analyze page HTML/a11y trees and summarize article content (see SKILL.md Quick Start/Commands and references/spec.md "Fetch HTML, auto-discover RSS" and "LLM-Based CSS Selector Identification"), so untrusted third‑party content can influence selector identification, summaries, and subsequent notification/send actions.