improve-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt tells the agent to read arbitrary local skill/agent files and to pass their full contents verbatim into Task calls and inline injections, so any API keys or secrets inside those files would be forwarded/exposed (no redaction or avoidance guidance).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 2 research steps explicitly fetch and read third‑party web content (agents/ecosystem.md directs fetching SKILL.md files from GitHub and agents/vendor-docs.md uses WebSearch to pull vendor/web sources), and that untrusted content is synthesized and used to drive recommendations, creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs runtime fetching of other SKILL.md files from GitHub (e.g., https://github.com/.../SKILL.md or raw GitHub URLs) and to web-search vendor docs (e.g., https://docs.anthropic.com, https://platform.openai.com) so that that external content is injected into agent prompts and thus can directly control agent behavior.