setup-context

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly tells the agent to ask the user for "auth credentials" and to write a nao_config.yaml from those answers (and then run/init/sync), which can lead the agent to embed secret values verbatim in generated files/commands despite some guidance to prefer env refs — creating a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly asks for SSH git URLs for external repos and instructs the agent to clone/sync those repositories as "extra context" (see "Step 1 — Ask everything" and the repos/nao sync instructions in SKILL.md), which means the agent will ingest and act on arbitrary user-provided third-party repository content that could contain malicious or instructional text.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches warehouse-specific config at runtime from https://docs.getnao.io/nao-agent/context-builder/databases and clones provided SSH git repos (e.g., git@github.com:org/repo.git) during nao sync; these external fetches are required and their contents are used to build the agent context and determine prompts, so they directly control agent behavior.