osmo-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs the agent to fetch and summarize workflow specs "including ... notable environment variables" and to write/submit YAML with explicit environment variable key/value pairs and --set arguments, which can force the LLM to see and output secret values verbatim (exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly instructs the agent to fetch public files from raw.githubusercontent.com (e.g., https://raw.githubusercontent.com/NVIDIA/OSMO/main/cookbook/README.md and linked per-workflow README/YAML) and to read and use those remote README/YAML contents to generate, adapt, and decide how many workflows to submit, which exposes the agent to untrusted public third‑party content that can influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs the agent to fetch workflow examples at runtime from raw GitHub URLs (e.g. https://raw.githubusercontent.com/NVIDIA/OSMO/main/cookbook/README.md and per-workflow raw.githubusercontent.com paths), and those fetched README/YAML files are used as workflow specs that the agent adapts and submits for execution, so this is a runtime external dependency that directly controls executed code.