run-repo-cleanup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs "hardcode values into the scripts that need them — only when the repo is confirmed private," which directs the agent to embed secret values verbatim into generated code/files (a high-risk secret-exfiltration pattern), despite otherwise recommending not to commit .env or secrets.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly runs GitHub queries (e.g., gh pr list / gh pr view) as part of its required workflow — see scripts/audit-state.py and the Post-PR verification instructions in references/post-pr-verification.md — which ingests public, user-generated PR data from upstream/fork and uses those results to make fork-safety and cleanup decisions.