ao-workflow-runner

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt requires blind substitution of {{variables}} with user-provided inputs and writes step outputs to files without any guidance to protect secrets or use environment variables, so any user-supplied API keys/passwords would likely be embedded verbatim in generated steps/commands and outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly reads role markdown files from agency-agents-zh/{role}.md as part of execution (SKILL.md step 4) and the README instructs cloning the public GitHub repo (https://github.com/jnMetaCode/agency-agents-zh.git), so it ingests untrusted third‑party user-generated content that can materially influence agent behavior.