dast-scanning

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] hardcoded_secrets: Generic secret pattern detected (HS005) [AITech 8.2] This is a legitimate DAST skill with examples and automation for OWASP ZAP, Burp Suite, Nikto and similar tools. There is no direct evidence of malware or intentional backdoors. However, the documentation and examples contain dangerous operational configurations that could lead to credential exposure or remote control of scanners if copied verbatim into CI or run in non-isolated networks — specifically: exposing ZAP API (0.0.0.0 + api.addrs.addr.name=.*), embedding example credentials in automation YAML, mounting host directories into containers in CI contexts, and installing binaries in runners without pinning. Treat the content as BENIGN code-wise but SUSPICIOUS from an operational security perspective: follow secure defaults (restrict ZAP API to localhost or CIDR, do not commit credentials, protect CI artifacts and environment variables, and limit mounts). LLM verification: The content implements a legitimate DAST orchestration skill and does not contain signs of malware or deliberate backdoors. The primary issues are insecure example configurations and risky defaults: hardcoded example credentials in automation YAML, exposing ZAP API broadly, and unconditional uploading of potentially sensitive reports in CI. These are operational security concerns that can lead to credential leakage or unauthorized scanner access if examples are reused in production without harde