ez-ui

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs passing credentials directly (e.g., "browser-login " and mentions HA_TOKEN / HA_BROWSER_USER / HA_BROWSER_PASS), which encourages embedding secret values verbatim in commands or requests.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly recommends creating a dedicated Home Assistant user "without 2FA" and instructs storing persistent browser session state (writing to /data), which alters the application's authentication state and lowers security, so it encourages changes that compromise the machine/app state.