coding-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly documents a --api-key flag (and shows command-line examples) which encourages embedding API keys/tokens directly into generated shell commands, meaning the agent may need to include secret values verbatim and thus poses a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs cloning/fetching public GitHub repositories and PR refs (e.g., git clone https://github.com/... , git fetch origin '+refs/pull//head:refs/remotes/origin/pr/') and running agents like "codex review" against PR diffs, meaning the agent will ingest and act on untrusted, user-generated third‑party content from GitHub.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly clones repositories at runtime (e.g., https://github.com/clawdbot/clawdbot.git and git@github.com:user/repo.git), and those fetched repo files are then used as the agent's working context (codex review, git diffs, or running commands), so remote content can directly influence prompts or lead to execution of code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly promotes bypassing sandboxing/approval protections (e.g., --yolo / --dangerously-bypass-approvals-and-sandbox) which encourages the agent to evade safety controls and run unrestricted actions on the host.