skill-install

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to fetch raw repository files and write them verbatim to the local skills directory (and to include file contents in the security analysis), so any secrets present in those files would necessarily be handled/output verbatim by the LLM/tooling, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and downloads arbitrary GitHub repository content (Step 2: WebFetch to https://api.github.com/repos/{owner}/{repo}/contents/skills and Step 4: raw.githubusercontent.com file downloads), which are public, user-generated sources that the agent reads and analyzes.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches a security-scan prompt template at runtime from raw GitHub content (e.g. https://raw.githubusercontent.com/{owner}/{repo}/{branch}/skills/{skill_name}/references/security_scan_prompt.md), and that fetched text is directly injected as the analysis prompt that controls the agent's behavior, meeting the criteria for a runtime external prompt-controller.