styleguide

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly constructs and echoes a credentials URL containing the GitHub token (via $(gh auth token --user GGPrompts)) into ~/.git-credentials, which requires capturing and outputting the secret verbatim and thus enables credential exfiltration.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content includes an explicit command that programmatically extracts a GitHub auth token via gh auth token and writes it in plaintext to ~/.git-credentials (with git config --global credential.helper store), which is a deliberate credential-theft/persistence pattern enabling unauthorized token capture and reuse (data exfiltration/credential theft).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 1 research steps explicitly require fetching public web content (e.g., "Font selection: Search Google Fonts..." and "Read 1-2 existing style guides" in Phase 0/Phase 1), so the agent will ingest untrusted third-party pages that can influence design decisions and subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill instructs agents to read and write repository files, update global git config, write a plaintext GitHub credential to ~/.git-credentials and push to remote (modifying user-level config and storing secrets), which changes the machine state and presents a clear security risk even though it doesn't request sudo or system-level modifications.