perfect-web-clone

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly instructs subagents to "Use Original URLs" and to copy fields from chunk JSON (images, html, styles) into generated components, which forces the LLM to reproduce any verbatim URLs or strings (including pre-signed URLs or token-bearing resources) and thus can leak secrets.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow explicitly loads arbitrary public URLs with Playwright (see SKILL.md Phase 2 and scripts/extract_page.py / docs/EXTRACTION.md), extracts raw HTML/DOM/assets, and injects those untrusted page contents into subagent Task prompts (see SKILL.md Phase 4 and docs/CODE_GENERATION.md), so third-party user-generated content is read and can directly influence tool actions and code-generation decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs scripts/extract_page.py at runtime to load a user-supplied external webpage URL (e.g., "https://stripe.com" / "https://example.com") and injects the extracted HTML/assets into subagent prompts, so fetched remote content directly controls the prompts used for code-generation.