test-staging-branch

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly extracts OTP codes from Gmail (via evaluate_script) and then instructs filling them into form fields (chrome_fill with a value), which requires the agent to include secret OTPs verbatim in generated actions/commands, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow explicitly opens public Vercel preview sites and Gmail (e.g., chrome_new_page({ url: 'https://mail.google.com' })) and uses snapshots/evaluate_script to read email text/OTP and page content, meaning untrusted third‑party user-generated content is ingested and can directly drive login and subsequent actions.