amazon-movers-shakers

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). Insecure: the prompt shows patterns that embed API keys verbatim (e.g., CLI flag --api-key YOUR_KEY and JSON "secret-key": "YOUR_API_KEY"), which would require the agent to include user secrets directly in commands/configs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and ingests open/public third‑party content by scraping Amazon Movers & Shakers pages (e.g., https://www.amazon.com/Best-Sellers/zgbs) as described in SKILL.md ("真实爬取") and implemented in scripts/scrape_amazon.py (scrape_real_data), and that scraped product/page content is parsed and used to drive filtering and selection decisions (suitable_for_temu), so untrusted web content can materially influence the agent's actions.