flux-operator-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed credentials verbatim in CLI flags (e.g., --instance-sync-creds=username:ghp_token and --password=secret) and instructs exporting secrets as YAML, which would require the agent to handle or output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests untrusted third‑party content — e.g., SKILL.md and references/commands-build-diff-patch.md state "diff yaml" accepts remote URLs (GitHub/GitLab/Gist/OCI) and references/commands-skills.md describes "skills install" pulling OCI artifacts (e.g., ghcr.io) with optional verification, which can install code/skills that materially change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The CLI includes a runtime "skills install" command that fetches OCI artifacts (e.g., ghcr.io/org/flux-skills) into .agents/skills to install AI agent skills, which clearly allows remote content to directly control agent prompts/behavior.