PAIUpgrade

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill mandates reading local config files (e.g., ~/.claude/.../settings.json, hooks/) and "quote or code-block the actual content" for extracted techniques, which would force verbatim inclusion of any API keys, tokens, or passwords found, creating direct exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests untrusted public content (blogs, docs, GitHub repos, changelogs via Tools/Anthropic.ts and the Upgrade workflow's Thread 2, and YouTube transcripts via the YouTube Agent/yt-dlp/GetTranscript flow in Workflows/Upgrade.md and Workflows/FindSources.md) and then extracts techniques that directly drive recommendations and code/config changes, so external content can materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Tools/Anthropic.ts (used at runtime) fetches changelogs/docs such as https://github.com/anthropics/claude-code/blob/main/CHANGELOG.md and the skill then injects quoted fetched content (docs/transcripts) into agent analysis/output, so remote content directly controls the agent's prompts/context and is a required runtime dependency.