claude-code

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt shows and instructs embedding secrets directly in MCP config JSON (e.g., "GITHUB_TOKEN": "ghp_xxx") and asks the agent to configure/read/write those files, which requires handling secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs Claude to connect to external MCP servers (e.g., the ~/.claude/mcp.json example with a "github" server and references to reading Sentry MCP logs) and to automatically read project CLAUDE.md and repository files, meaning it ingests untrusted/user-generated third-party content (GitHub repos, Sentry logs, repo files) that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The ~/.claude/mcp.json entries run npx to fetch and execute remote npm packages at runtime (e.g., "npx -y @modelcontextprotocol/server-filesystem" and "npx -y @modelcontextprotocol/server-github"), which downloads and runs external code that provides MCP context to the agent and thus can directly affect agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly references and instructs working with Stripe: a "FinPay API" project, payment module docs, src/lib/stripe/client.ts that "wraps the Stripe SDK", webhook handling and idempotency for Stripe events, test card numbers, and refactoring/updating Stripe handlers. These are specific payment-gateway integrations (Stripe) and code paths that send/process payment events. Under the rule that payment gateways (Stripe, PayPal, etc.) are direct financial execution capabilities, this skill contains explicit financial execution functionality.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly provides and encourages a bypass of permission checks ("--dangerouslySkipPermissions") and instructs the agent to read/write files, run shell commands, and configure MCP servers that expose local filesystem and services, which enables unmediated modification of the host state even though it does not explicitly request sudo or create users.