ios-device-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed credentials/passwords directly in CLI commands and act prompts (e.g., filling a password 'pass123' and showing MIDSCENE_MODEL_API_KEY values), which instructs the agent to include secret values verbatim in its outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to read and act on external web content and images (e.g., launching arbitrary URLs/deep links under "Launch an App, URL, or Deep Link" and using remote image URLs in the "tap --locate" example such as https://github.githubassets.com/...), and the workflow requires reading screenshots/reference images to decide subsequent act commands, so untrusted third-party content can directly influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs the Midscene CLI at runtime via "npx -y @midscene/ios@1" (which downloads and executes the remote @midscene/ios package — see https://midscenejs.com), so it relies on fetching and running external code during execution.