security-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes hardcoded credentials and examples that place API keys/passwords directly into headers and authentication calls (e.g., Nessus X-ApiKeys, gmp.authenticate, Splunk connect), which requires handling/outputting secret values verbatim and is therefore insecure.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The OWASP ZAP example explicitly opens and spider-scans arbitrary web targets (zap.urlopen('http://target.com') and zap.spider.scan('http://target.com')) and then ingests alerts/results, meaning the agent would fetch and interpret untrusted third‑party web content (similarly Burp examples process external HTTP requests/responses).