saas-session-recon

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs extracting full cookie/token values (including HttpOnly via network captures) and embedding them verbatim into commands and code (e.g., Cookie headers in Bun/curl tests and a "credential extraction recipe"), which requires the LLM to handle and output secrets directly, creating a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill provides explicit, step-by-step techniques to enumerate and extract session cookies (including HttpOnly via network captures), compute/forge auth tokens (e.g., SAPISIDHASH), and exfiltrate/pass them to an agent (native messaging) to enable a stealthy Chrome-extension API proxy and account takeover—constituting clear credential theft and unauthorized access behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill autonomously navigates to and scrapes live third‑party web apps and documentation (e.g., via navigate/read_page, read_network_requests, javascript_tool to enumerate cookies/localStorage and capture Set-Cookie/response headers, plus bun fetch of external docs in Phase 2.5), treating that untrusted web content as input to decide tests and generate credential‑extraction recipes — meeting all criteria for indirect prompt‑injection risk.