user-docs-to-ai-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly requires extracting and including source text "verbatim" (in ATOMs and when delegating to process-siren) and writing those extracts into reference files and SKILL.md, so any secrets embedded in the source docs would be copied into the agent's outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). Yes — the workflow explicitly fetches and ingests public third‑party docs (e.g., Phase 0 Input Resolution: "If source matches https://github.com/* — Run: git clone .claude/worktrees/project-name/") and later uses WebFetch/Read and the MCP file-reader to parse remote HTML/PDF/DOCX/Jupyter content, so untrusted user-generated content is read and can influence subsequent tooling and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs git clone on GitHub URLs at runtime (e.g., https://github.com/* such as https://github.com/astral-sh/ty), and the cloned documents are then injected verbatim into delegation prompts (process-siren) and used as required input to build the skill, so remote repo content can directly control prompts.