company

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed secrets directly into commands/config (e.g., Authorization: "Bearer YOUR_PAT" in the MCP add-json for GitHub), which instructs the agent/user to paste API tokens into generated commands/configs and therefore requires handling/outputting secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md "MCP 連携の提案" and related運用フロー explicitly show the secretary will use configured MCP servers (examples include URLs for Notion, Google Calendar, GitHub, Slack) and states "MCP サーバーが設定済みの場合、秘書は積極的に活用する" and will act on GitHub issues/PRs, which means the agent can fetch and interpret untrusted third‑party/user‑generated content (e.g., GitHub/Notion data) that can influence its actions.