claude-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples that embed secrets directly in CLI arguments and config files (e.g., --env AIRTABLE_API_KEY=YOUR_KEY, .mcp.json "env": {"API_KEY":"value"}, and podman -e GITHUB_PERSONAL_ACCESS_TOKEN "your-token"), which would encourage the agent to accept and emit secret values verbatim in commands/configs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill lets the agent load and interact with external, potentially untrusted third-party services and content—e.g., adding MCP servers from arbitrary URLs (claude mcp add --transport http/sse ... https://mcp.sentry.dev/mcp, etc.) and browsing/installing plugins from a marketplace (claude plugin marketplace / claude plugin install ...@my-marketplace), which the agent is expected to read/use as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime Model Context Protocol endpoints (e.g., "claude mcp add --transport http sentry https://mcp.sentry.dev/mcp" and "claude mcp add --transport sse asana https://mcp.asana.com/sse") that the CLI connects to during execution to stream context/instructions, which can directly influence agent prompts or provide remote-executed behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly exposes flags to bypass permission checks (e.g., --permission-mode bypassPermissions, --dangerously-skip-permissions) and instructs running arbitrary MCP server commands (npx, node, podman, stdio servers) and adding directories, which enable executing external processes and altering the machine state.