agentic-actions-auditor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt requires fetching and reporting workflow YAML (including "Evidence" snippets) and explicitly capturing sensitive fields like "token" and env var values, which would force the agent to reveal any embedded secrets verbatim rather than keeping them hidden or redacted.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly instructs remote analysis mode to fetch and read workflow YAML from arbitrary GitHub repositories (using gh api to retrieve .github/workflows/* and resolve remote reusable workflows), so it ingests untrusted, user-generated third‑party content and analyzes it as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches repository workflow and action files at runtime using the GitHub Contents API (e.g., gh api repos/{owner}/{repo}/contents/.github/workflows or https://api.github.com/repos/{owner}/{repo}/contents/{path}?ref={ref}), and those fetched YAMLs can contain AI prompt fields or action configs that directly control agent prompts or enable code execution, which the skill relies on to perform its analysis.