agentic-actions-auditor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to fetch and include YAML "Evidence" snippets and to capture env/token fields from workflow files (e.g., "token", env vars, prompt-file contents), so if those files contain secrets the LLM will read and output those secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly instructs remote analysis mode to fetch and read workflow YAML from arbitrary GitHub repositories (using gh api to retrieve .github/workflows/* and resolve remote reusable workflows), so it ingests untrusted, user-generated third‑party content and analyzes it as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches repository workflow and action files at runtime using the GitHub Contents API (e.g., gh api repos/{owner}/{repo}/contents/.github/workflows or https://api.github.com/repos/{owner}/{repo}/contents/{path}?ref={ref}), and those fetched YAMLs can contain AI prompt fields or action configs that directly control agent prompts or enable code execution, which the skill relies on to perform its analysis.