codemagic-codepush

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt requires producing copy-paste native config snippets and concrete CodePush app/deployment commands and wiring instructions that refer to deployment keys and server tokens (including how to retrieve and place them), which would compel the model to include or handle secret values verbatim and thus poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly requires consulting and aligning commands with the public CodePush CLI reference (https://github.com/codemagic-ci-cd/code-push-pro) and CodePush server URLs (https://codepush.pro) in Step 3, which means the agent is expected to fetch and interpret untrusted third-party web content that can change its CLI usage/decisions.