tool-connect

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks for secrets (read -s prompts and env vars) and constructs/echoes commands and config snippets that embed those secrets verbatim (curl headers, Authorization lines, echo $GITHUB_TOKEN, etc.), which requires the model to output secret values directly and creates a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill directly issues requests to untrusted third‑party sources — e.g., gh api repos/$repo/contents/$path, curl to user-provided API base URLs and /.well-known/capabilities, and arbitrary GraphQL endpoints — and ingests those responses as part of its workflow, so external content can influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's embedded MCP templates invoke npx to fetch and run remote packages at runtime (e.g., the GitHub template: "npx -y @modelcontextprotocol/server-github"), which will download and execute external code that the skill relies on to function, creating a high-confidence execution risk.