ops-fires

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to resolve secrets (env vars, doppler secrets get --plain, password_manager commands) and includes example commands that embed tokens, which can force the LLM to retrieve and place secret values verbatim into generated commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly uses WebFetch to read public status pages (e.g., https://health.aws.amazon.com/health/status and Vercel status), WebSearch to query arbitrary web results for outage patterns, and ingests external-projects data / Sentry API results (curl to sentry.io and ops-external pre-gathered data) which the agent parses and acts on, exposing it to untrusted third-party content that could carry indirect prompt-injection instructions.