prd-test-writer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). 不安全：该 skill 明确要求“每步命令含全部环境变量字面值”并允许用“真 Key 证据”验证上游，等同于在测试步骤/产出中包含 API key/密钥等敏感值的明文，从而迫使模型处理并输出秘密。

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The HTML templates include a direct import of mermaid from https://cdn.jsdelivr.net/npm/mermaid@11/dist/mermaid.esm.min.mjs which will be fetched and executed when the generated review HTML is opened (the templates require Mermaid to render diagrams), so this is a runtime external dependency that executes remote code.