news

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the agent to run a push command that echoes the GitHub auth token into ~/.git-credentials (via "https://GGPrompts:$(gh auth token --user GGPrompts)@github.com"), which requires handling and embedding a secret credential in plain text—an insecure credential-handling/exfiltration pattern.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content contains an explicit, deliberate credential-harvesting instruction—running a shell substitution to extract a GitHub CLI auth token and writing it into ~/.git-credentials before pushing—which is a clear backdoor/credential-theft pattern; other parts look like benign publishing workflow.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 1 research explicitly launches sonnet subagents that use WebSearch and scrape public sites (e.g., Agents 1–6: "Search" for news, GitHub trending pages, aggregator sites, official blogs and community posts, and GitHub releases pages), so the agent ingests untrusted, user-generated third‑party web content and uses those findings to rank stories, choose the lead, and drive publishing actions.