qa-team

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill includes many examples that embed plaintext credentials directly into YAML and command steps (e.g., "password123", "TestPass123!"), which encourages generating outputs that contain secrets verbatim instead of using secure env vars or CLI-managed auth.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill includes web navigation and content ingestion actions (e.g., the Web agent's "navigate" and "wait_for_element" steps) and a freshness-check/clone workflow that fetches GitHub releases/repos (SKILL.md and README.md), and those fetched public pages/repo contents are consumed by comprehension agents to drive verification and pass/fail/next actions—exposing the agent to untrusted third‑party content that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill contains a runtime command that fetches and runs remote code via uvx (git+https://github.com/rysweet/amplihack) — e.g. 'uvx --from git+https://github.com/rysweet/amplihack ...' — which downloads and executes external code that can control agent behavior.