security-audit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt dispatches an auditor over branch diffs and orders verbatim reporting of its findings (including PR bodies/file contents), so if the auditor discovers secrets (API keys, passwords, tokens) the LLM is required to output them verbatim, enabling exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill injects PR metadata (specifically the required pre-gathered context line PR metadata (if open): !\gh pr view --json title,body,comments``) which fetches user-generated GitHub PR titles/bodies/comments that the agent will read and use to scope the audit, exposing it to untrusted third-party content that could contain indirect instructions.