job-auto-apply

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells agents to read credentials from secrets.md and to auto-fill/login/register using Playwright (filling forms, typing passwords), which requires the LLM to embed secret values verbatim in its generated tool actions/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs subagents to fetch and "read the FULL job description" from {JOB_URL} via WebFetch/Playwright and to "read the company's About/Mission page" (Prepare Subagent Step 0) and to "observe the page at each step, decide what to do next" during submission (Submit Subagent), meaning arbitrary public job postings and company pages are ingested and directly influence resume tailoring, submission decisions, and automated actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly navigates at runtime to arbitrary job URLs ({JOB_URL}) — e.g. linkedin.com/jobs/, indeed.com/viewjob, and company career pages — and reads the FULL job description to extract keywords and drive resume/cover-letter generation, so external pages fetched at runtime can directly control prompts and model behavior.