experiment-bridge

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs the agent to read and "paste the experiment scripts" and entire repo contents into a cross-model code-review (GPT-5.4) without any redaction guidance, which would cause any embedded API keys, credentials, or secrets in those files to be output verbatim and thus exfiltrated.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to "git clone <BASE_REPO> base_repo/ # Read the repo's README, understand its structure" (Phase 2 / Constants), which means the agent will fetch and parse arbitrary user-provided GitHub repositories (untrusted, user-generated content) and use that information to implement and deploy experiments, allowing third-party content to influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs a runtime git clone of a user-specified BASE_REPO (e.g., https://github.com/org/project) and then uses that cloned code as the working codebase to implement and run experiments, meaning remote content fetched at runtime can directly influence/contain executable code that will be run—so this URL is a runtime dependency that can control executed code.