coding-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly documents a --api-key flag (and shows command-line examples) which encourages embedding API keys/tokens directly into generated shell commands, meaning the agent may need to include secret values verbatim and thus poses a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs cloning and fetching public GitHub repos and PR refs (e.g., "git clone https://github.com/clawdbot/clawdbot.git", git fetch origin '+refs/pull/*/head:... and codex review/git diff workflows), so the agent will ingest untrusted, user-generated code and PR content from the public web and use it to drive reviews and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly performs runtime git clones (e.g., https://github.com/clawdbot/clawdbot.git and git@github.com:user/repo.git) and then runs agents (codex/pi/opencode) against the fetched repository, so remote repository content directly controls the agent's context/instructions and can lead to executing code from that repo.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly promotes bypassing sandboxing/approval protections (e.g., --yolo / --dangerously-bypass-approvals-and-sandbox) which encourages the agent to evade safety controls and run unrestricted actions on the host.