sigil-scan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's Environment Audit explicitly scans .env, credential files, and shell histories and instructs the agent to "present all findings to the user," which would require outputting discovered API keys/tokens/passwords verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill (see SKILL.md and scripts/scan.sh) explicitly fetches/clones arbitrary GitHub URLs, npm/pip packages and any URL (scan_git_url/scan_url/scan_npm_package/scan_pip_package), and the agent parses those results and uses the verdict to decide or gate installations/execution, so untrusted third‑party content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). setup.sh (invoked as part of the skill's setup/require flow) downloads and installs the Sigil CLI from GitHub releases (e.g. https://github.com/NOMARJ/sigil/releases/download/${latest_tag}/${asset_name}), which the skill requires and executes locally, so remote content fetched at runtime can execute code.