security-audit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt’s scanning scripts and examples explicitly search for and echo matching secret strings (e.g., printing "Hardcoded password: $line", pre-commit hook matches, and hardcoded API_KEY examples), which requires reading and potentially outputting secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly instructs fetching and interpreting live remote sites (e.g., "HTTP security headers" with curl -sI https://example.com and "SSL/TLS Verification" using openssl s_client -connect example.com:443), meaning untrusted public website responses could be consumed and influence audit findings and subsequent actions.