collecting-testflight-feedback

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks the agent to accept or extract full TestFlight image URLs (which include AWSAccessKeyId/Signature/Expires query params) and to download them via curl or embed them verbatim, which would expose signed-URL credentials in the agent's output/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to navigate to and scrape user-generated TestFlight feedback from App Store Connect (e.g., https://appstoreconnect.apple.com/.../testflight/screenshots/{FEEDBACK_ID}) and to extract and act on the feedback text, screenshots, and metadata—third-party tester content that could contain malicious/ambiguous instructions and influence categorization and follow-up actions.