form-testing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes examples that embed SMTP credentials directly in command-line WP-CLI JSON (user/pass) which would require the agent to place secret values verbatim into commands/configs, an insecure pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to POST to arbitrary public URLs and parse their responses (see "Method 3: HTTP Form Submission Test" and curl examples that use -L/-v and grep on https://site.com/contact/), meaning it fetches and interprets untrusted third‑party web content and uses those results to drive testing decisions.