exploiting-mass-assignment-in-rest-apis

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains numerous curl examples and automation commands that embed an Authorization header/token (e.g., "Authorization: Bearer USER_TOKEN") and would require the agent to insert API tokens or user secrets verbatim into generated commands/requests, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This is an explicit exploit-oriented guide (with an automation script and field wordlists) that enables unauthorized privilege escalation, financial manipulation, and account takeover via mass-assignment attacks — high potential for malicious abuse; it does not contain hidden exfiltration, obfuscated payloads, remote code execution, or persistent backdoor constructs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly fetches and interprets JSON from arbitrary public API endpoints (see scripts/agent.py's get_baseline_response and test_mass_assignment which GET/POST/PUT/PATCH target URLs) and SKILL.md's curl/swagger.json/openapi.yaml steps, so untrusted third‑party responses are read and can materially influence testing actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly instructs how to manipulate financial fields via API requests (e.g., PATCH /api/wallet to set "balance", POST /api/orders to set "price", POST /api/checkout to apply 100% discount, PATCH /api/subscription to set price/plan). These are concrete, actionable examples for changing account balances/prices and causing financial loss—i.e., direct financial execution via REST APIs—so it meets the criterion for direct financial execution capability.