security-scanner

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The scanner explicitly fetches "raw file content exactly as‑is" (including local and GitHub files) and has no instructions to redact secrets, so the LLM will receive sensitive values in context and may output them in reports — creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The list mixes legitimate-looking GitHub repo and raw.githubusercontent.com endpoints (which can host scripts/binaries and are safe only after inspection) with explicit malicious/third‑party domains (evil.com, attacker.com) and raw-download patterns that are commonly used to distribute executable payloads, so the set should be treated as suspicious and verified before downloading or executing anything.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests files from public GitHub URLs (Step 2-URL: converting blob URLs to raw.githubusercontent.com and using the GitHub API to fetch repo contents) and then reads SKILL.md/README and other repo files for analysis, which are untrusted third‑party contents that can contain instructions capable of influencing the agent's decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches and injects remote GitHub content at runtime (e.g., https://api.github.com/repos/{owner}/{repo}/contents/{path}?ref={branch} and https://raw.githubusercontent.com/{owner}/{repo}/{branch}/{path}), which is then fed verbatim into the analyzer and can directly control prompts/instructions, so this is a high-risk runtime external dependency.