github

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt gives the agent direct access to the GITHUB_TOKEN and explicitly instructs using it in API calls and embedding it in commands (e.g., updating the remote URL with ${GITHUB_TOKEN}), which requires the agent to handle and potentially emit the secret value verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to query GitHub's public API/GraphQL for pull request review threads and comment bodies (user-generated content) and to reply/resolve threads and rerun workflows based on that content, so the agent will fetch and act on untrusted third-party data from GitHub.