everything-claude-code-agent-harness

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt doesn't explicitly ask the LLM to solicit secrets, but it instructs automated capture of session command history and an auto-extraction pipeline that writes command patterns into generated skill files with only limited sanitization, which can cause API keys/passwords present in history to be reproduced verbatim (exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill explicitly configures an MCP "github" server (mcpServers.github) and includes commands like "ecc work-items sync-github --repo owner/repo", which causes the agent to fetch and ingest user-generated GitHub content (public repos/discussions) that can influence agent decisions and tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The MCP server configuration invokes npx to fetch and run an external package at runtime (args: "-y", "@modelcontextprotocol/server-github" — i.e., npx -y @modelcontextprotocol/server-github), which will execute remote code and can supply model context that directly affects agent prompts, and the skill configuration relies on these MCP servers.