workflow-migration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to read local .env and environment variables (e.g., cat ~/.claude/skills/.../.env, echo $NOTION_API_KEY), present detected secret values to the user, and auto-generate files (.env, vm0.yaml) containing those tokens, which requires the LLM to handle and output secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The AGENTS.md workflow explicitly instructs the agent to "Use WebSearch" and "Use WebFetch" to retrieve full article content from external public sites (e.g., Reuters, BBC, TechCrunch) and then read/extract/summarize that content as part of the agent's workflow, which exposes the agent to untrusted third‑party pages that could contain malicious or instructional content.