anthropic-managed-agents

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples and instructions that place API tokens (e.g., GitHub PAT as authorization_token and x-api-key headers, including a ghp_* example) directly into request bodies/commands, which would require the LLM to insert secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly mounts arbitrary GitHub repositories via the session "resources" (github_repository in the session_create.json) and includes web_fetch/web_search plus an "unrestricted" network environment, so the agent is expected to read and act on untrusted, user-generated third‑party content (repo files and web pages) that could materially influence its tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly mounts arbitrary GitHub repositories at runtime via the session resource URL (e.g., "https://github.com/your-org/your-repo"), which supplies code/content that the agent will read and can execute via built-in tools like bash, so the fetched repo content can directly influence prompts/behavior and run remote code.