analyse-team-session

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires quoting specific passages from the provided session export as evidence and including verbatim excerpts in the report, so if that transcript contains API keys, tokens, cookies, or passwords the agent would be instructed to reproduce them exactly, creating a direct exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly requires fetching the official docs at runtime via WebFetch (https://code.claude.com/docs/en/agent-teams and https://code.claude.com/docs/en/costs), and those fetched pages are treated as authoritative inputs that directly control the evaluation prompts and rubric, so they are runtime external dependencies that influence agent behavior.