api-security-tester

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires including "exact request signatures (method, path, key headers, payload hash)" and replaying requests, which would force capturing and outputting Authorization headers or API keys verbatim unless explicitly redacted, creating a direct secret-exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The Execution Workflow (Phase 1: Discovery) and the listed inputs (target_base_url and api_spec_or_collection) explicitly require the agent to fetch and interpret API specs and live endpoint responses from external targets, which are untrusted third-party content that can materially influence subsequent testing decisions and actions.