gdrv-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed secrets directly in commands (notably --password "TempPass123!" and CLI args showing client secrets), which instructs an agent to output or propagate secret values verbatim and is therefore insecure.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly reads and processes arbitrary user-generated Drive content (e.g., "gdrv docs read DOC_ID", "gdrv sheets values get SHEET_ID", "gdrv files list --json") from Google Drive — untrusted third-party files — and then uses that data to drive actions like uploads, permission changes, syncs, and deletions as described in SKILL.md, enabling indirect instruction injection.