simple-skills-manager

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt asks the agent to take user-supplied paths or git URLs and embed them verbatim into shell commands and files (e.g., git clone {git-url}, echo "{absolute-working-path}"), which would cause any credentials contained in those inputs (credentialed git URLs or similar secrets) to appear directly in the agent's output — an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill clones or pulls arbitrary user-provided git URLs (and reads local paths) into ~/.claude/simple-skills-manager-repos/{group}/ and creates tips that instruct the agent to Read and execute SKILL.md from those external repositories, thus ingesting untrusted third-party content (public git repos) into the agent's workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill clones arbitrary git repositories at runtime (e.g., https://github.com/example/my-skills.git) and creates tips that instruct the agent to read and follow SKILL.md files from those repos, so fetched remote content can directly control prompts/instructions.