Cybercentry Web Application Verification

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes an "authenticated scans" example that embeds a session_cookie value directly into the JSON requirements and uses it in an acp job create command, which requires including secret/session tokens verbatim in the request/command.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs users to submit arbitrary public website URLs (e.g., "When creating verification jobs, you submit website URLs" and the "Scan Your Web Application" / "acp job create" examples) which the service will fetch and analyze, meaning untrusted third‑party page content can be ingested and influence scan results and downstream deployment decisions.