bug-bounty-program

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed credentials directly in commands/requests (e.g., --cookie="session=abc123", --data="user=test&pass=test", and explicit collaborator/webhook IDs), which encourages including secret values verbatim in generated output and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly instructs the agent to fetch and analyze arbitrary public web content (e.g., amass/subfinder/gobuster, wappalyzer/whatweb against https://target.com, waybackurls/gau, Google Dorks, webhook.site and Burp Collaborator), so the agent would ingest untrusted, user-generated third‑party content during reconnaissance and could be exposed to indirect prompt injection.