activity-push

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill fetches public WeChat article feeds (see scripts/fetch_recent_feeds.sh which curls FEED_URL="${MP_API_HOST%/}/feed/${MP_ID}.json") and writes raw.json which the SKILL.md explicitly instructs the model to read/interpret to semantically decide activities and drive downstream outputs/pushes, so it clearly ingests untrusted, user-generated third‑party content that can influence actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the prompt for high-entropy, literal values that could be used as credentials.

Flagged:

• WE_COM_WEBHOOK_KEYS=2449ebfdd2b2a1f20d88f797e3627d8fc6 — This is a 32-character hex-like string presented inline as an environment variable value and later used directly in example curl commands. It looks like a real webhook key (high entropy, directly usable in the documented push flow) rather than an obvious placeholder, so it should be treated as a hardcoded secret.

Ignored (not flagged) with reasons:

• AMAP_WEB_SERVICE_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx — clearly a redacted/placeholder value (repeated 'x'), so ignored.
• MP_API_HOST=..., MP_API_KEY=... and other "YOUR_KEY"/"YOUR_AMAP_WEB_SERVICE_KEY"/"YOUR_API_KEY" examples — documentation placeholders per the rules, ignored.
• Values like MEDIA_ID_FROM_UPLOAD, YOUR_KEY, and short/simple example passwords or obvious example tokens in templates — ignored as placeholders or non-secrets.

Conclusion: one real-looking, high-entropy credential is present (the WE_COM webhook key). I did not flag placeholders or redacted/truncated values per the given rules.