desi-webdesign-practicies-extraction

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly requires storing and outputting the original reference URL verbatim (when provided), which could contain embedded secrets (API tokens, keys, cookies in query strings or fragments), so the agent may be forced to emit secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly accepts and inspects live URLs and public repos (see "The input may be: ... a live URL" and "If the user provides a live URL, store it verbatim" plus "Live URL: inspect rendered behavior first" in SKILL.md), so the agent will fetch and interpret untrusted third‑party web content that can materially influence its reconstruction decisions.