flow

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to resolve environment variables via commands like echo $TEST_EMAIL and then use those literal values in form-fill tool calls, which requires the LLM to obtain and include secret values verbatim in its outputs/tool arguments.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The Walk mode explicitly instructs the agent to navigate a user-specified dev server URL (including a "Custom URL") and then read and interact with the loaded web pages via the Chrome MCP tools (mcp__claude-in-chrome__navigate / find / click) — meaning it will fetch and interpret arbitrary third-party page content as part of its workflow, which can materially influence actions.