skill-learning

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt requires fetching and preserving code blocks verbatim and inserting/source-attributing extracted snippets into diffs and SKILL.md outputs with no guidance to redact secrets, so any API keys or passwords present in fetched files/URLs would be reproduced in the agent's outputs (exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly requires fetching and scraping arbitrary URLs with the WebFetch tool (Phase 1a) and reading repository files via Glob/Read (Phase 1b/1c), then uses those untrusted, user-provided sources to extract insights that drive matching, scoring, proposal and Edit tool actions (Phases 2–6), so third-party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly requires runtime fetching (WebFetch(url, format="markdown") with a fallback to https://r.jina.ai/{url}) and then injects that fetched content into the agent's context to drive extraction/matching/editing decisions, so the external URL content directly controls the agent's prompts/behavior.