skill-eval

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). This skill requires forwarding case input.user_prompt verbatim to spawned agents and saving/copying accepted child session transcripts and final answers into artifacts, which forces the agent to handle and reproduce any secret values present in prompts or sessions and thus creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly clones and reads a public GitHub repo (default https://github.com/Jiayi-Ye02/agentic-evals.git) and requires loading repo files (agentic-evals/AGENT.md, targets/<target_id>/cases/*.yaml, etc.) whose untrusted, user-authored content is ingested and used to construct and drive spawned agents (case input.user_prompt is sent verbatim), so third-party content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs "git clone --depth 1 https://github.com/Jiayi-Ye02/agentic-evals.git" at runtime when the local repo is missing, and the cloned repository's case files and AGENT.md are required and directly determine the prompts/instructions sent verbatim to spawned sub-agents, so the remote content can control agent behavior.