team-init

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). Insecure: the skill reads and injects the full contents of user-edited and remote role/workflow files directly into generated agent prompts and messages, so any API keys or secrets present in those files would be included verbatim and could be exfiltrated.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly supports installing remote roles by accepting GitHub repo URLs or npx package names and reads role files from {work_dir}/.team-roles/{filePath} (see "现在安装新的远程角色" / "读取 {work_dir}/.team-roles/roles-lock.json" and the Steps where remote role .md content is Read and injected into agents' <your_role> prompts), so untrusted third‑party (user-provided) content is ingested and can directly change agent prompts and behavior.