box

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly requires the coordinator to extract and include the user-provided URL verbatim in every subagent brief (anchor, slug, and url), so if a URL contains embedded credentials or tokens those secret values would be propagated and output by the agent, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The runtime LLM context can include outsider-authored free text from the Prepare subagent when it executes git clone/git pull on a user-supplied VCS URL and then (per the pipeline) the Search subagents read/summarize local repo files; those files are outsider-authored content from the cloned repository and become LLM-readable prose in the subagents’ outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's prepare subagent explicitly runs git clone at runtime against arbitrary VCS URLs (e.g., github.com / gitlab.com / bitbucket.org or git@github.com:org/repo.git via "git clone --depth 1 "), and the search subagents then read and inject the cloned repo files/snippets into agent outputs (model context), so fetched remote content can directly control prompts.