continuous-testing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains plaintext credentials and DB URLs with embedded passwords (e.g., postgresql://postgres:postgres and POSTGRES_PASSWORD: postgres) and shows secrets being placed directly into CI config, so an agent generating or reproducing these configs would output secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The workflow fetches and runs third-party GitHub Actions at runtime (for example uses: snyk/actions/node@master) which are remote code executed in the CI runner and are required for the security-tests job, so they constitute a runtime external dependency that executes remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt includes explicit sudo commands that add an APT key/source and install packages (modifying /etc/apt/sources.list.d and system keyrings), which requires elevated privileges and thus directs changes to the machine state.