airflow

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes hard-coded credentials and examples that embed passwords and connection URIs verbatim (e.g., --password admin, POSTGRES_PASSWORD, and connection strings with user:password), which are insecure patterns that would cause an LLM to output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and ingests external, potentially untrusted content at runtime (e.g., gitSync repo https://github.com/org/airflow-dags.git, pip constraint URL on raw.githubusercontent.com, the curl of airflow.apache.org/docker-compose.yaml, and HttpHook/HttpSensor responses that are parsed via response.json()), and those artifacts/DAGs/responses are read and acted on by Airflow, which could allow indirect instruction injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Helm values.yaml enables gitSync with repo https://github.com/org/airflow-dags.git, which at runtime will clone remote Python DAGs into Airflow and thereby fetch and execute remote code in the agent environment.