kw-gsd-fortify

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires extracting and presenting exact code snippets and file:line references (verbatim) as findings, which would force the LLM to output any hardcoded secrets (API keys, tokens, passwords) present in those snippets unless additional redaction rules are specified.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's UI Compliance Reviewer (Agent 5) workflow explicitly requires verifying components against public component registries and external component libraries (e.g., "verify it exists in the shadcn registry" and references to ui.shadcn.com / shadcnstudio.com) — i.e., fetching/consulting third‑party registry/site content which the agent must read and which can change actions like flagging installs or custom-component requests.