accessing-github-repos

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to detect and read GitHub PATs from environment variables and project files and then inserts those tokens into Authorization headers and API requests (and even shows a literal token-like example), which requires handling/outputting secret values verbatim and enables exfiltration.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These are official GitHub raw/API endpoints (not inherently malicious) but they can deliver arbitrary scripts/binaries and the skill’s instructions to fetch/execute files and automatically detect/use PATs (potentially exfiltrating credentials or enabling repo write access) make them a moderate-to-high risk for malware distribution and credential compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — SKILL.md explicitly includes runtime code and examples (e.g., "Fetch Single File" and the Bash curl examples that call https://api.github.com and https://raw.githubusercontent.com) that fetch public GitHub repository content (user-generated/untrusted), which the agent is expected to read and could materially influence subsequent actions.