valet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill forbids asking users for secrets and uses templates/env injection for most flows, but it explicitly runs CLI commands that output sensitive values (e.g., webhook signing secrets, generated managed secrets) and instructs the agent to "save and report these to the user," which requires the LLM to read and reproduce secret values verbatim in its output — creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent (see "Designing a New Agent" Step 1) to fetch and parse arbitrary user-supplied third-party URLs (e.g., GitHub SKILL.md/raw, skills.sh listings, npmjs/PyPI pages) using WebFetch to extract tools/configurations that will influence tool selection and next actions, which exposes it to untrusted user-generated web content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs a remote installer via curl | bash (https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh) and also fetches or clones GitHub repositories / raw.githubusercontent.com SKILL.md content (e.g., github.com/... and raw.githubusercontent.com/...) at runtime to import agent definitions or code, which executes remote code or directly controls prompts/instructions.