ffuf-web-fuzzing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly shows and encourages embedding bearer tokens, session cookies, and user-provided auth tokens into raw request files and command examples (e.g., req.txt and -H "Authorization: Bearer TOKEN"), which requires the LLM to accept and reproduce secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly instructs running ffuf against arbitrary public targets (e.g., "ffuf -w ... -u https://target.com/FUZZ") and includes tooling (ffuf_helper.py analyze results.json) and guidance for Claude to read and interpret ffuf results, so the agent would consume untrusted, user-generated web responses from open third-party sites.