security-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The workflow mandates line-by-line analysis and including "Code Snippet" in findings but gives no guidance to redact or avoid verbatim secrets, so reporting hardcoded credentials would likely cause the LLM to output secret values directly (exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly requires the agent to fetch and load mandatory rule files from the public Project CodeGuard GitHub repository (e.g., https://github.com/cosai-oasis/project-codeguard/tree/main/sources/core and .../sources/owasp), untrusted user-generated third-party markdown that the agent must read and apply to drive analysis and actions, enabling indirect prompt-injection via those rules.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill mandates fetching and loading Project CodeGuard rule files at runtime (e.g., https://github.com/cosai-oasis/project-codeguard/tree/main/sources/core and https://github.com/cosai-oasis/project-codeguard/tree/main/sources/owasp), which are required external resources whose fetched content directly controls the agent's prompts/rule logic for the review.