qa

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The skill embeds explicit, non-QA directives — e.g., auto-upgrade flows, telemetry/analytics opt-ins, creating or committing CLAUDE.md routing, vendored migration (git rm), global config writes, and plan-mode override rules — which instruct the agent to change repo/global state and override safety behavior unrelated to "test and fix" and therefore constitute out-of-scope/deceptive instructions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly directs the agent to visit and ingest arbitrary user-supplied or public web pages (e.g., Phase 3–5 $B goto , $B links, snapshots) and to run WebSearch during test bootstrap, and then uses the observed page content and search results to drive testing, fixes, and tool actions, so untrusted third‑party content can materially influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's setup step will run curl -fsSL "https://bun.sh/install" to download and then execute the installer script (bash "$tmpfile") at runtime, which fetches and runs remote code from https://bun.sh/install.