exploiting-deeplink-vulnerabilities

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content is dual-use but contains explicit, actionable exploit instructions for data exfiltration and intent hijacking (e.g., javascript:fetch to external "evil.com" with document.cookie, token/callback exfiltration payloads, and guidance to create a malicious app registering the same URL scheme), which are deliberate abuse patterns enabling credential theft and link hijacking.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow (SKILL.md) explicitly instructs fetching and checking public site files such as "curl https://target.com/.well-known/apple-app-site-association" and "https://domain/.well-known/assetlinks.json", which are untrusted third-party web resources that the agent is expected to read and that directly influence verification and subsequent testing decisions.