clean-code

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill mandates capturing "ALL output" from verification scripts and summarizing it verbatim to the user (errors/warnings/passes) without any redaction guidance, which could force the LLM to include secrets or tokens present in script/log output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill instructs agents to run site-auditing scripts that accept arbitrary URLs (e.g., python .../lighthouse_audit.py and python .../playwright_runner.py ) and then requires the agent to read and summarize the script output, which means it will fetch and interpret content from untrusted public web pages.