consultant

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes an explicit --api-key CLI flag example and shows embedding API keys in commands (and in exports), which encourages the agent to accept and emit secret values verbatim in generated commands — an insecure pattern that can lead to secret exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill accepts an arbitrary --base-url / OPENAI_BASE_URL and then queries that endpoint (see scripts/model_selector.py -> list_models which does requests.get to base_url + /models or /v1/models, and scripts/litellm_client.py -> count_tokens which POSTs to base_url + /utils/token_counter) and directly uses those responses for automatic model selection, token counting, and context validation—so untrusted remote content can materially change which model/strategy is chosen and how the agent proceeds.