infra-deploy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to read secrets from 1Password (op read / op item get --reveal) and then inject those secret values directly into command-line arguments and HTTP requests (gcloud --set-env-vars and curl ?apiKey=...), which requires the agent/LLM to handle and output secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly registers and accepts Cal.com webhook JSON from the public Cal.com API and a public webhook relay URL (see "Step 4: Register Cal.com Webhook" and "Step 5: Test with Simulated Booking" which POST/receive arbitrary webhook payloads to $WEBHOOK_RELAY_URL and api.cal.com), so untrusted, user-generated event content is ingested and can drive actions (Pushover alerts).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill pulls and runs external container images at runtime—e.g., the Docker image "calcom/cal.com:latest" (and the Artifact Registry image "${CALCOM_GCP_REGION}-docker.pkg.dev/${CALCOM_GCP_PROJECT}/calcom/calcom:latest")—which will execute remote code and are required dependencies for deployment/local development.