test

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes bash/curl examples that create accounts with plaintext passwords, retrieve and echo JWT tokens, and instruct composing Authorization headers (e.g., "Authorization: Bearer {token}"), which requires emitting secret values verbatim in commands/outputs — a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses untrusted, public user-generated email content from Mail.tm (via its public API) and by navigating Mailinator/Guerrilla Mail web inboxes (see "Mail.tm API Reference", "Polling for messages", and Mailinator/Guerrilla Mail fallback sections), then extracts verification links that the agent navigates and uses to drive test decisions—clearly exposing the agent to third-party content that can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires runtime fetching/execution via npx @playwright/mcp@latest (in .mcp.json) which runs remote code, and it directly uses the Mail.tm API (https://api.mail.tm) and browser mail services (e.g., https://www.mailinator.com, https://www.guerrillamail.com/) at runtime to retrieve email content/verification links that directly control the agent's navigation and test flow, making these required runtime external dependencies.