drupal-major-upgrade-validation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the user for admin credentials and requires the agent to perform login actions (e.g., Playwright scripts/commands) that will force embedding those username/password values verbatim into generated test code or commands, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required Default Test Plan explicitly extracts first-level navigation links and then "visit[s] every first-level menu item" and randomly samples subpages (via playwright-cli), so it will fetch and act on arbitrary site pages (which may be public/user-generated or contain external hrefs) and those pages can steer which URLs the agent visits and what interactions it performs.