exploiting-api-injection-vulnerabilities

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly sends requests to cloud metadata and prints/saves response text (e.g., resp.text[:300]) and includes an Authorization header placeholder, which means any discovered credentials (IAM keys, tokens, passwords) would be captured and output verbatim, creating a direct exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content contains explicit, actionable exploit payloads and attack flows — e.g., SSRF to cloud metadata for IAM credential theft, command payloads that exfiltrate to attacker-controlled hosts, and destructive SQL payloads like DROP TABLE — which enable data exfiltration, credential theft, and system compromise and therefore present deliberate malicious capability.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill (SKILL.md workflow and scripts/agent.py) explicitly issues HTTP requests to arbitrary target URLs (e.g., BASE_URL and the required --url parameter) and reads/parses resp.text/resp.json to detect injection indicators and drive findings, meaning it ingests untrusted third-party API responses that can materially influence subsequent decisions and actions.