private-api-reversal
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill provides detailed instructions and code templates for extracting and re-using sensitive session credentials from a browser, including session cookies (e.g.,
SID,HSID), Bearer JWTs, and CSRF tokens. - [COMMAND_EXECUTION]: Instructions guide the agent to capture full HTTP requests from browser DevTools as
cURLcommands for execution in a terminal. It also includes TypeScript code utilizingfs.readFileSyncandfs.writeFileSync(via Playwright) to manage authentication state on the local file system. - [EXTERNAL_DOWNLOADS]: Recommends the use of external tools for traffic interception and automation, including
mitmproxy,Burp Suite, andPlaywright(a well-known automation library from Microsoft). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it instructs the agent to ingest untrusted data (HTML page source and API responses) and process it using regular expressions to extract security tokens without implementing sanitization or boundary markers.
- Ingestion points:
fetch()responses from external web applications and HTML source code captured via browser tools. - Boundary markers: None present; the methodology does not define delimiters to separate untrusted web content from agent instructions.
- Capability inventory: The methodology utilizes
fetchfor network operations andfsfor local file access. - Sanitization: Lacks sanitization; relies on raw regex matching (e.g.,
html.match(/"SNlM0e":"([^"]+)"/)) which could be manipulated by maliciously crafted web content.
Audit Metadata