k6 Performance Testing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes multiple examples with hardcoded plaintext credentials (e.g., "SecurePass123!") and patterns that embed passwords/tokens in requests or data files, which encourages the LLM to output secret values verbatim rather than using secure env/config handling.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's k6 scripts explicitly fetch and parse responses from arbitrary BASE_URL endpoints (for example, checkoutFlow posts to ${BASE_URL}/api/cart and uses JSON.parse(cart.body).id to drive a subsequent checkout request) and even imports runtime code from a third‑party CDN (https://jslib.k6.io/papaparse/…), so it clearly ingests and acts on untrusted third‑party web content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script imports and executes remote code at runtime via the papaparse CDN URL (https://jslib.k6.io/papaparse/5.1.1/index.js), which is a required dependency used to parse CSV data during test execution.