oneshot-ship

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly shows API keys stored in ~/.oneshot/config.json (e.g., "anthropicApiKey": "sk-ant-...") and describes configuring API keys via oneshot init, which encourages the agent to read and embed secret values verbatim into config, commands, or requests—creating an exfiltration risk (even though env var usage is mentioned, the clear config-file pattern is insecure).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Oneshot explicitly fetches a Linear ticket as context ("With Linear ticket: oneshot — Fetches the ticket as context"), meaning it ingests third‑party, user‑generated content that the agent will read and use to drive planning and code actions.