architecture

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt explicitly instructs the agent to retrieve and write a GitHub auth token into ~/.git-credentials (via gh auth token ... embedded in a URL), which directs access/exposure of sensitive credentials and is unrelated to the core content-generation steps of building the architecture map.

---

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs writing a GitHub auth token into a plaintext credentials file and using a push command that embeds the token in a remote URL (echo "https://GGPrompts:$(gh auth token --user GGPrompts)@github.com"), which forces handling/exposure of a secret value in shell commands and stored files.

---

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content contains explicit, high-risk instructions to retrieve and persist a GitHub auth token in plaintext and use it to push changes (enabling credential theft and supply‑chain compromise), plus automated agent behaviors and remote script/CDN dependencies that could be abused to exfiltrate data or inject malicious payloads.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Phase 1 (Research) explicitly instructs two sonnet subagents to use WebSearch and WebFetch "for documentation pages, GitHub READMEs, and architecture docs" — i.e., open/public, user-generated web content that the agents must read and use to drive their mapping decisions, which could allow indirect prompt injection.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires loading and executing remote JavaScript at runtime from the Mermaid CDN (https://cdn.jsdelivr.net/npm/mermaid@11/dist/mermaid.esm.min.mjs), which is a required dependency and will execute code when the generated HTML is opened.

---

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt instructs the agent to read and write project files (create/append HTML under architecture/...), modify the user's home credentials file (~/.git-credentials) and run git push with an auth token—actions that change the machine state and can exfiltrate credentials, so it should be flagged.