yes-md

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to run commands like cat config.yaml | grep key, env, and "show the actual value" / "show the response", which requires reading and outputting secret/API credential values verbatim (creating exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly requires using WebSearch/Read (e.g., "You have Bash, Read, Grep, WebSearch. Use them BEFORE asking the user anything." and the Level 3 Five-Step Audit: "WebSearch the exact error"), which instructs the agent to fetch and interpret public/untrusted web content as part of its workflow and could therefore influence subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt repeatedly instructs the agent to read, copy, modify config files, run commands (cp, curl, restart services, docker-compose up, deployments) and verify changes—actions that alter system state and may require elevated privileges—so it does push the agent to perform state-changing operations on the host.