mhr-cfw-domain-fronting-relay

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs users to insert secrets verbatim into Code.gs and config.json (AUTH_KEY and GAS deployment IDs), which would require an agent to output those secret values directly and thus creates an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.75). While many links are to legitimate services (Google Apps Script, Cloudflare, browser extension stores, ipleak/whoer), the bundle includes an unknown GitHub repo used to distribute proxy code, a third‑party PyPI mirror (requested with --trusted-host), and instructions for domain‑fronting via user‑controlled workers/GAS — all of which are strong indicators that these URLs could be abused to distribute or execute malicious code, so treat as moderately high risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content intentionally implements domain fronting to hide destination traffic and bypass DPI (routing through Google Apps Script and Cloudflare Workers), includes guidance to circumvent quotas and expose public relays, and thus presents a high risk for deliberate abuse (anonymizing/misdirecting traffic) despite lacking explicit backdoor/exfiltration code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly documents that the Cloudflare Worker (script/worker.js) “extracts the target URL” and “fetches the target on behalf of the client” and the Google Apps Script (script/Code.gs) exposes a public relay endpoint, meaning the runtime will fetch and return arbitrary public websites (untrusted third‑party content) as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires and calls a Google Apps Script web app endpoint (e.g., https://script.google.com/.../exec with Deployment ID like AKfycb...) and a Cloudflare Worker URL (https://your-worker-name.workers.dev) at runtime, both of which execute remote code on each request and are required for the relay to operate, so they are runtime external dependencies that execute remote code.