skill-install

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to fetch raw repository files and write them verbatim to the local skills directory (and to include file contents in the security analysis), so any secrets present in those files would necessarily be handled/output verbatim by the LLM/tooling, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill fetches and ingests arbitrary GitHub repository content (via WebFetch using GitHub API endpoints like https://api.github.com/repos/{owner}/{repo}/contents/skills and raw.githubusercontent.com) and directly analyzes that untrusted, user-generated content to decide whether to install skills, allowing third-party content to influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches the security scan prompt template and skill files at runtime from raw.githubusercontent.com (https://raw.githubusercontent.com/{owner}/{repo}/{branch}/skills/{skill_name}/{file_path}), and that fetched prompt content is used to control the agent's analysis instructions, making it a required external dependency that directly controls prompts.