configure-agent-pr-attestation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask the user for an API key (PAT) and then write it verbatim into ~/.harness/auth.json via a here-doc (and may request cosign passphrases/paths), which requires the LLM to handle and output secret values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill intentionally captures AI agent transcripts (including chain-of-thought), PR URLs and commit SHAs and automatically signs/uploads them to an external Harness Evidence Vault — effectively automated data exfiltration of potentially sensitive code, secrets, and internal prompts without per-upload confirmation.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). The required runtime path ingests outsider-authored free text via the hook’s INPUT=$(cat) and subsequent parsing of .tool_response.stdout/.tool_response.stderr to extract PR_URL (these fields come from the agent/tool execution output, which can include arbitrary text from external systems like GitHub/GitLab/etc.).