demo

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to read target files and user-provided credentials and then embed those values directly as constants in generated Playwright scripts (and to prompt the user for credentials to write into outputs), which requires emitting secret values verbatim and therefore risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill generates and runs Playwright scripts against the target BASE_URL taken from .demoflow/targets/{target-name}.md (including production URLs) and its Run Flow/Script generation steps explicitly instruct the script to visit and extract/read page content (e.g., [save: var from url], OTP handling), so it will fetch and interpret arbitrary public web pages whose untrusted content can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly installs and imports the external npm package via "npm install skill-demoflow" and "import ... from 'skill-demoflow'", which fetches and executes remote package code at runtime and provides requestInput()/runtime prompt handling, so this external package is a required runtime dependency that can directly control prompts and execute code.