deep-research-offensive

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit examples and commands that pass passwords, TOTP secrets, and auth info as plaintext CLI arguments (e.g., --password yourpassword, --totp-secret), which would require the agent to accept and embed secret values verbatim—an insecure pattern.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These URLs are mostly indexing/aggregator and intelligence sources (Telegram channels, Twitter/X proxies, GitHub, Exploit-DB, NVD/CISA/MITRE) rather than official vendor download pages — they frequently surface PoC code, third‑party repos, and direct links to files (especially via Telegram and GitHub), so they can be used to distribute malicious executables and should be treated as potentially dangerous.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's SKILL.md explicitly directs the agent to fetch and scrape open/public third‑party sources (e.g., Tavily searches, Firecrawl scrape/extract of NVD and GitHub, Playwright for Exploit-DB and xcancel.com, FxTwitter API, and tg.i-c-a.su Telegram JSON) and to interpret those untrusted, user-generated pages/posts as part of its research workflow, which can materially influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly calls Firecrawl scrape at runtime to fetch GitHub PoC repositories (e.g., https://github.com/{user}/{repo}) and inject their Markdown content into the agent's analysis context, which meets the criteria of a runtime fetch that can directly supply instructions or code the agent will act on.