screengrabs

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes insecure examples that hardcode credentials in pre-scripts (e.g., 'password123') and an option to pass session cookies as a CLI argument (--auth-cookie ), both of which require embedding secret values verbatim in commands/code and thus create exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs visiting arbitrary preview or public base URLs (SKILL.md Step 2 and the capture command examples) and scripts/capture.ts performs page.goto on base-url+route, runs pre-scripts against the live page, and writes/reads DOM text and screenshots for verification—meaning untrusted, user-provided web page content is fetched and interpreted and can influence interaction logic and subsequent actions.