ops-doctor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly reads and parses diagnostic files and env_vars and instructs pasting the full DIAGNOSTIC_JSON into an Agent creation prompt and display summaries (including ENV VARS/credentials), which can require emitting secret values verbatim and thus risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly tells the agent to use WebSearch and WebFetch to query public sites (e.g., GitHub issues/docs and external MCP APIs such as https://api.linear.app/graphql) and to read those results to diagnose known issues, so it clearly ingests untrusted third‑party web content that can influence fix decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill autonomously spawns "doctor" agents to "fix all errors and warnings" including "broken permissions" and "invalid configs" under the plugin/daemon context, which directs the agent to modify files and system state (potentially requiring elevated privileges) even though it doesn't explicitly request sudo or user creation.