ffuf-web-fuzzing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs creating raw request files and examples that include Authorization headers, cookies, and JWTs and tells the agent to insert users' auth tokens/cookies into req.txt for authenticated fuzzing, which requires outputting secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent/user to run ffuf against arbitrary public targets (e.g., "ffuf -w … -u https://target.com/FUZZ") and to analyze the resulting ffuf output (see Notes for Claude and resources/ffuf_helper.py which calls "analyze results.json"), meaning the agent will ingest and act on untrusted, public web content that can materially influence follow-up scanning/decisions.