skill-builder

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill repeatedly requires reading and copying content verbatim (e.g., "MOVE content, don't rewrite it", preserve directives verbatim, show exact before/after diffs, and move "IDs/accounts" into reference files), which forces the LLM to output any secret values that happen to be present in those files.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly mandates a "research assistant" teammate that uses WebSearch, WebFetch and Jina MCP tools (read_url/search_web) to fetch and read arbitrary web pages which other agents consume to inform plans and actions (see references/agents-teams.md and references/procedures/agents.md), creating a clear channel for untrusted third-party content to influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's /skill-builder update command runs bash -c "$(curl -fsSL https://raw.githubusercontent.com/odysseyalive/claude-enforcer/main/install)", which fetches and immediately executes remote installer code at runtime (supply‑chain risk).