pua-ja

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt repeatedly requires the agent to run commands, "paste" command/tool outputs as evidence and explicitly allows asking the user for passwords/accounts when "really necessary", which creates situations where secret values or tokens from outputs or user responses would be included verbatim in the agent's output — an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to perform web searches and read external sources (e.g., "主体的に検索しろ", "原典を読め", "公式ドキュメント + Issues を検索", and even "Stack Overflowは検索したか?"), which requires fetching and interpreting untrusted public/user-generated content that can drive subsequent tool use and decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill repeatedly instructs the agent to run commands, modify configurations, restart services, perform deployments and “open a terminal / paste outputs” for end-to-end verification—actions that modify system state and can require elevated privileges, so it pushes behavior that can compromise the host.