gh-issues

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs reading GH_TOKEN from configs and exporting/embedding it into curl headers and git remote URLs (e.g., export GH_TOKEN="" and https://x-access-token:$GH_TOKEN@github.com/...), which forces the agent to handle and potentially output the secret value verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches user-generated content from the public GitHub REST API (e.g., Phase 2: "curl ... https://api.github.com/repos/{SOURCE_REPO}/issues" and Phase 6: multiple "curl ... /pulls/{pr_number}/reviews" and "/comments"), reads and analyzes issue/PR bodies and review comments, and then uses that content to decide actions and spawn sub-agents that make commits/pushes/PRs—meeting all criteria for exposure to untrusted third‑party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). Flagging the GitHub repository URLs (e.g., https://x-access-token:$GH_TOKEN@github.com/{PUSH_REPO}.git and git@github.com:owner/repo.git) because the skill performs git remote/fetch/pull operations at runtime against these remotes and then runs tests and other commands on the fetched repository code, which constitutes fetching external code that may be executed by spawned sub-agents.