curator-repo-learn

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill clones and scans repository files (including configuration) and emits analysis and reports back into the conversation and repo storage without any redaction rules, so any API keys or secrets present in files could be read and reproduced verbatim by the LLM.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly shallow-clones arbitrary public GitHub repositories (see "2. CLONE REPOSITORY" and the usage example "/repo-learn https://github.com/owner/repo") and ingests/scans their source files to extract patterns and update procedural memory/rules, so untrusted repository content can influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill clones arbitrary GitHub repositories at runtime (e.g., https://github.com/owner/repo) and reads their contents to extract patterns and update procedural memory, meaning fetched repo content is used to directly influence the agent's instructions/behavior.