code-audit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly detects and aggregates hardcoded secrets (e.g., .env values, API keys) and instructs the agent to synthesize tool outputs and the generated CODE_AUDIT_REPORT.md into a final report without any redaction guidance, which means the LLM will likely see and may be expected to include secret values verbatim in its output.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs the agent to run Bash commands to check and install tools — including using system package managers with sudo (apt/dnf) and global installs — which modifies the host system state and may require elevated privileges, so it can compromise the machine.