ops-yolo

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to "Resolve ALL keys via env → Doppler → password manager" listing secrets (GITHUB_TOKEN, SENTRY_AUTH_TOKEN, LINEAR_API_KEY, AWS_ACCESS_KEY_ID) and to use those credentials for actions and to present exact commands for execution, which requires the LLM to load and potentially include secret values in its generated outputs, creating a direct exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The skill explicitly requests broad access to sensitive secrets and full workspace data, and it can autonomously execute high-impact operations (merge PRs, trigger deploys, modify infra, schedule recurring jobs), which together create strong opportunities for credential theft, data exfiltration, and persistent/remote control even though no obfuscated payloads or explicit external exfiltration endpoints are present.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). Yes — the skill's Native tool usage explicitly instructs the agent to use WebFetch/WebSearch to pull external pages (e.g., Grafana dashboards, Sentry event details, AWS status pages and web search results) which are untrusted third‑party content the agent will read and use to inform decisions and actions.