stepwise-testing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt mandates verbose logging and printing of full variable states, request headers, and inputs (e.g., f-strings, response.headers, debug_states) which would cause any in-memory secrets (API keys, tokens, cookies, passwords) to be output verbatim if present.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md "Network Request Verification" section and examples (e.g., the code that calls requests.get(url), socket.gethostbyname(urlparse(url).hostname, and prints response.text/headers) explicitly instruct fetching and inspecting arbitrary URLs, meaning untrusted third‑party content would be read and could affect test/assertion outcomes.