worker-image-investigation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs embedding a plaintext admin password ("Password1!") directly in an az vm create command, which requires the LLM to output the secret verbatim and is therefore insecure.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill programmatically fetches and parses data from external Mozilla services and public URLs (see scripts/investigate.py which calls the Taskcluster API via the taskcluster CLI and get_worker_sbom that reads SBOM URLs, plus SKILL.md's curl calls to treeherder.mozilla.org and SBOM_URL curl examples), and it uses that untrusted, third-party content to determine imageVersion, vmSize, VM names and drive Azure VM actions—so remote content can change the agent's subsequent actions.