declarative-agent-developer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires reading M365_TITLE_ID from env/.env.local and inserting its value verbatim into the test URL shown to the user, which forces the agent to output an environment-held value (potentially sensitive) directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content is largely legitimate developer guidance but includes high-risk instructions that explicitly direct reading and silently extracting local OAuth tokens (~/.mcp-auth), running arbitrary npx packages/remote CLIs, and executing curl commands with embedded tokens—behaviors that could be used to steal credentials or exfiltrate data and enable remote access; combined with mandatory automated provisioning and enforced use of the skill (persistence/self-promotion), this creates a significant abuse/supply-chain risk if the skill or an operator is malicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and consume external, user-provided URLs (e.g., OpenAPI specs via --openapi-spec-location in references/api-plugins.md and OAuth well-known discovery in references/authentication.md), causing the agent to read and act on untrusted third-party content which can influence tool behavior and plugin configuration.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly shows and requires using an OpenAPI spec URL (e.g., https://repairshub.azurewebsites.net/openapi.json) as the --openapi-spec-location for the ATK CLI—which will be fetched at runtime and whose specification/metadata can be incorporated into the generated plugin manifest (description_for_model / functions) and thus directly influence agent prompts/behavior—so this is a runtime external dependency that can control the agent.