hive-create-task

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt asks the user for an admin key (or to set HIVE_ADMIN_KEY) and explicitly shows a command that embeds --admin-key , which would require the agent to include the secret verbatim in generated commands/outputs, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly includes a prepare.sh "downloads data" file (Recommended files) and the runtime workflow (Phase 5.1) runs prepare.sh if present, which means the agent will fetch and ingest external/public data that the eval uses—an untrusted third-party source that can influence evaluation and subsequent actions.