qa-only

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill advertises "report-only QA" but embeds many side-effectful, non-QA actions — e.g., auto-upgrade prompts, enabling/recording telemetry, creating and committing CLAUDE.md routing rules, running git rm/migrations, syncing artifacts/gbrain, and other config changes — which go beyond its stated read-only/reporting purpose and are therefore deceptive relative to that claim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (e.g., Diff-aware mode + Phase 3 "Orient" and Phase 4 "Explore") explicitly directs the agent to visit and crawl arbitrary target URLs using the browse binary ($B goto, $B links, snapshots) and to follow page links/forms as part of testing, so untrusted/public web content can be read and used to drive navigation and testing decisions—exposing it to indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's setup step downloads and executes a remote install script at runtime via curl -fsSL "https://bun.sh/install" and then runs it with bash, which fetches and executes remote code as a required dependency for the browse/setup flow.