qa-orchestrator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the orchestrator to read .env.qa (which contains credentials/secrets) and "provide each agent with... the .env.qa values they need" and to include full reproduction details in issue bodies, forcing the LLM to handle and potentially emit secret values verbatim, which is direct exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The orchestrator explicitly fetches PR data via mcp__github__get_pull_request (and optionally Linear tickets via mcp__linear__get_issue) in Phase 1 and supplies PR/body/diff and ticket descriptions as scope context to spawned agents, so untrusted user-generated content from GitHub/Linear can be read and materially influence agent actions.