mr-obsidian

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill mandates keeping the input text verbatim and outputting the full transcript, so any secrets present in the user's input (API keys, tokens, passwords) would be reproduced exactly, creating a direct exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow (SKILL.md "Auto-Update Check") runs scripts/check_update.py, which fetches a remote SKILL.md from a raw.githubusercontent.com URL and the script's output (UPDATE_AVAILABLE and UPDATE_COMMAND) is used to decide and execute update actions, meaning public GitHub content can directly influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script scripts/check_update.py fetches the remote SKILL.md from https://raw.githubusercontent.com/{owner}/{repo}/main/.agents/skills/{skill_name}/SKILL.md at runtime (repo_raw), and that fetched content can cause the skill to run the printed "npx skills update ..." which would download and execute remote code, so this runtime fetch poses a clear code-execution/control risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt explicitly instructs the agent to run a local update script and to attempt updating/installing software (e.g., via an UPDATE_COMMAND and an npx install), which will modify files and installed packages on the machine even though it does not request sudo or create users.