iac-security

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly scans IaC and asks the LLM to include "Evidence: " (and to detect hardcoded secrets and state file contents), which would require reproducing secret values verbatim in the report unless additional redaction is specified.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's prerequisites and workflow explicitly require "access to module registries or module source references" and even instruct to "trace into module source code" (SKILL.md Common Pitfalls / Supply Chain Integrity), which implies fetching and interpreting modules from public registries or git URLs (untrusted, user-authored content) that can directly influence findings and remediation decisions.