api-test-executor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires running requests "with exact payload and headers" and reporting "exact request signatures (method, path, key headers...)" using provided auth_material, which forces inclusion of Authorization/key headers and therefore verbatim secret values in outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill retrieves and interprets responses from arbitrary target APIs (via the target_base_url) — e.g., "Phase 2: Capture full response metadata and body hash" and "Phase 3: Outcome Classification" — so untrusted third-party response content can directly influence verdicts and subsequent test actions.