task-orchestrator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs capturing log content and injecting it verbatim into Codex prompts (e.g., using $(cat error.log | tail -20) in a send-keys codex command), which causes the agent to read and forward arbitrary sensitive data from logs into model I/O and so can exfiltrate secrets.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill explicitly automates autonomous code changes, pushes, and PR creation without human oversight, encourages sending internal logs/context to an external model, and includes instructions to bypass sandbox/network restrictions and persist via cron — behaviors that enable supply‑chain code injection and data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches GitHub issue bodies with gh issue list (see "Analyze GitHub Issues for Dependencies" and "Workflow: Step 1") and then incorporates those untrusted, user-generated texts and captured tmux/error logs into Codex prompts and orchestration actions (e.g., building task prompts and "Previous attempt failed with: ... Fix the issue" commands), so third-party content can directly drive tool behavior and next steps.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill clones and uses a remote Git repository at runtime (git clone https://github.com/OWNER/REPO.git), which fetches external code that the orchestrated agents (Codex sessions / test runs) will execute and rely on as a required dependency, so this is a runtime external dependency that can execute remote code.