repo-explorer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to read, grep, and display repository files (with file paths and line numbers) and to present CLI output to the user, which will cause any secret literals found in the repo (API keys, tokens, passwords) to be included verbatim in the agent's output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly clones remote repositories (step 2: "REPO_DIR=$(mktemp -d) && git clone --depth 1 "$REPO_DIR"") from public GitHub/GitLab/Bitbucket sources and runs the Claude Code CLI to read/grep files in the repo, so the agent ingests arbitrary public/user-generated repository content that can influence its analysis and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill runs git clone at runtime for arbitrary remote repositories (e.g., https://github.com/expressjs/express or shorthand like https://github.com/owner/repo) and then invokes the Claude Code CLI to read and act on the fetched files, so the remote content can directly control prompts/execution.