qa-exploring-tester

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks the agent to collect and pass "Credentials / test data" and even includes an example with plaintext credentials ("Credentials: test@example.com / TestPass123"), which requires the LLM to receive and potentially emit secret values verbatim when spawning subagents and generating reports—creating a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly requires a "Target URL / staging environment" in SKILL.md and the agents (e.g., qa-e2e-exploratory-agent) are instructed to navigate and semantically interpret web pages (see references/ai-models.md "When navigating a page, describe what you see" and scripts/browser_setup.py example page.goto), so it will fetch and act on arbitrary third-party web content that could contain untrusted instructions.