k6-load-test

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes hardcoded credentials and examples that embed API keys on the command line or in code (e.g., password: 'password123', --env API_KEY=xxx, __ENV.API_KEY || 'default-key'), which requires the model to output secret values verbatim and creates an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script imports and executes remote JavaScript modules at runtime from https://jslib.k6.io/papaparse/5.1.1/index.js (and similarly https://jslib.k6.io/k6-summary/0.0.1/index.js), which are fetched and executed by k6 and are required for the script's functionality, so they constitute remote code execution at runtime.