agentic-actions-auditor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to fetch workflow YAML and include evidence snippets and captured fields (e.g., env values, token) in reports without specifying redaction, which can force the LLM to reproduce any literal secrets found verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs remote analysis using gh api to fetch and read .github/workflows files from a GitHub repo (see "Fetch Workflow Files" in Step 0), which are untrusted, user-generated third‑party files that the agent ingests and uses to drive its analysis and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's remote-analysis mode explicitly fetches workflow YAML at runtime using the GitHub API (e.g., "gh api repos/{owner}/{repo}/contents/.github/workflows" and "gh api repos/{owner}/{repo}/contents/.github/workflows/{filename}"), and those fetched files can contain AI action "prompt" fields that directly control agent instructions, so this is a runtime external dependency that can control prompts.