team-feature

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the lead to "provide each subagent with the full target context (feature spec, file contents, etc.) in the prompt," which would cause the agent to include repository/file contents (and any embedded API keys or secrets) verbatim in messages to subagents, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated GitHub content (e.g., via "gh pr diff " and "gh pr view --json title,body,comments" and "gh issue view ... --json title,body,comments") and then uses that content to analyze the feature and decide which specialists and tasks to spawn, so untrusted third-party PR/issue text can influence agent actions.