qa-only

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly tells the agent to ask for user credentials/2FA codes and then perform automated fills/commands (e.g., $B fill), which requires embedding those secrets verbatim in generated tool calls — creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's QA workflow explicitly instructs the agent to navigate and interact with arbitrary target URLs (e.g., "$B goto ", "If no URL is given... enter diff-aware mode" and "If no local app is found, ask the user for the URL"), which causes the agent to fetch and interpret untrusted public web content as part of its testing decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's runtime setup will curl and run the bun installer from https://bun.sh/install (downloaded into a temp file and executed) when bun is missing, which fetches and executes remote code as a required dependency.