exploiting-api-injection-vulnerabilities

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs testing that extracts sensitive values (e.g., AWS IAM credentials via SSRF and tokens) and appends resp.text/response data into results/findings, which requires the agent to output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a clearly offensive exploitation toolkit (not merely defensive examples) that includes explicit payloads and instructions enabling data exfiltration (SSRF to cloud metadata, curl to attacker-controlled servers), credential theft, destructive actions (e.g., DROP TABLE), and remote command execution—functionality that can be directly abused as backdoor/compromise tooling.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill actively issues HTTP requests to arbitrary target APIs (BASE_URL in SKILL.md and the --url parameter in scripts/agent.py) and directly reads/interprets resp.text/resp.json in its test_* functions and workflow (e.g., SQL/NoSQL/SSRF checks) so untrusted third-party responses can influence subsequent decisions and actions.