sync

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to read the repository remote URL and then include it verbatim in CLI commands; if the remote URL contains embedded credentials (e.g., user:token@host) those secrets would be handled and output directly, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). SKILL.md explicitly instructs the agent to fetch and install skills from the repository's remote URL (commands like git remote get-url origin and bunx skills add "<remote-url>" --list / --all), which causes the agent to ingest and act on code from arbitrary remote GitHub/other git remotes (untrusted, user-generated content) that can change its tools and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill obtains and uses the repository remote URL (from git remote get-url origin, e.g. git@github.com:org/repo.git or https://github.com/org/repo.git) at runtime and runs bunx skills add "<remote-url>" --all -y, which fetches and installs remote code that will be executed as skills, so the external git URL directly controls code executed by the agent.