test-staging-branch

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly extracts OTP codes from Gmail (via evaluate_script) and then instructs filling them into form fields (chrome_fill with a value), which requires the agent to include secret OTPs verbatim in generated actions/commands, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill navigates to arbitrary Vercel preview URLs and opens Gmail (https://mail.google.com) to read OTP emails and page content (using chrome_take_snapshot and chrome_evaluate_script), which are untrusted / user-generated third-party sources the agent directly ingests and interprets.