repo-sentinel

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's audit outputs and examples explicitly show and expect reporting of exposed secrets and credential snippets verbatim (e.g., API_KEY = "sk-live-...", redis://admin:pass@...), so the agent would need to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and scans arbitrary repository content and full git history as part of its required workflow (see SKILL.md and references/scan-patterns.md which run trufflehog/gitleaks and git log --all, and the GitHub Actions/templates that use actions/checkout with fetch-depth: 0), meaning untrusted public repo files (README/docs, notebooks, .claude/, wiki content, etc.) are read and used to drive findings and remediation actions and could therefore carry indirect prompt-injection instructions that influence the agent's decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes CI/automation steps that fetch and execute remote code at runtime—for example the scheduled-audit step downloads and runs gitleaks from https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.18.4_linux_x64.tar.gz (and the templates also reference remote pre-commit hooks and GitHub Actions repos that are fetched and executed), so these URLs are runtime external dependencies that execute remote code.