task-orchestrator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs capturing log content and injecting it verbatim into Codex prompts (e.g., using $(cat error.log | tail -20) in a send-keys codex command), which causes the agent to read and forward arbitrary sensitive data from logs into model I/O and so can exfiltrate secrets.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches public GitHub issues with "gh issue list --repo OWNER/REPO" and then injects issue bodies/descriptions into autonomous Codex workers (see the "tmux ... codex --yolo 'Fix issue #N: DESCRIPTION...'" and restart flows that embed captured output), meaning untrusted, user-generated issue content is read and can directly drive agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs git clone at runtime (git clone https://github.com/OWNER/REPO.git "$WORKDIR/repo") to fetch a repository that the orchestrator then runs tests/commands against (via Codex/tmux), so remote repository content would be fetched and executed as part of the workflow.