API Fuzzing for Bug Bounty

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill content contains explicit, actionable instructions for data exfiltration and credential theft (e.g., iplogger image for IP disclosure, SSRF/LFI examples, SMB/URL callbacks, examples showing retrieval of passwords/JWTs), plus clear remote-command-execution vectors (command injection payloads, path traversal to sensitive files) and evasion techniques (rate-limit bypass, IP rotation), which together enable deliberate malicious abuse rather than benign guidance only.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's core workflow (see Step 1: API Reconnaissance and examples like sub-skills/step-1-api-reconnaissance.md and other steps) explicitly instructs scanning and fetching public targets (e.g., kr scan https://target.com, checking /swagger.json, archive.org, site JS files and GraphQL endpoints), which requires ingesting untrusted, user-controlled web content that can influence subsequent tool use and actions.