git-delegation-management

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). This skill explicitly grants the Manager the ability to execute arbitrary git commands using the host's git credentials and an unsanitized "operations" list, which enables easy credential misuse, data exfiltration (e.g., pushing workspace contents or cloning private repos to attacker-controlled remotes), and potential remote code execution via git hooks or command injection—highly abuseable even if not overtly malicious in intent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Execution Flow and git-request example (SKILL.md Step 2 and the sample git-request showing "git clone https://github.com/org/repo.git") explicitly instruct the Manager to clone and operate on arbitrary remote repositories, which are untrusted, user-generated third-party content that the agent will read/interpret as part of its workflow and use to make decisions or remediate errors.