ci-pipeline-monitor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires using an ADO_TOKEN bearer token and even instructs the agent to "Pass the ADO_TOKEN to each sub-agent" and include it in API calls, which forces the LLM to handle and emit the secret verbatim (high exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and ingests third-party test data (AzDO Test Results API at https://dev.azure.com/dnceng-public/... via scripts/extract_failed_tests.py) and full Helix console logs (https://helix.dot.net/... via scripts/fetch_helix_logs.py) which the agent is instructed in SKILL.md and references/triage-workflow.md to read and verbatim-extract/interpret to drive triage, grouping, GitHub searches, and DB updates — exposing it to untrusted external content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches runtime content from Azure DevOps and Helix (e.g., https://dev.azure.com/dnceng-public/public/_apis/... and https://helix.dot.net/api/2019-06-17/jobs/{job_id}/workitems/{work_item}/console) which is read verbatim and injected into the agent/LLM triage prompts (error_message/stack_trace and full console logs) and is a required dependency of the skill, so it directly controls model input at runtime.