exploiting-oauth-misconfiguration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill contains numerous curl examples and workflows that embed client_secret, access tokens, authorization codes, and other secrets directly into commands/outputs (e.g., POST bodies and Authorization headers), which would require the agent to handle or output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content contains explicit, actionable instructions and tooling to steal OAuth authorization codes and access tokens (e.g., redirecting to attacker-controlled domains, Referer/token leakage, code reuse, CSRF account-linking and token substitution), i.e., deliberate credential-theft and data-exfiltration techniques even if framed for authorized testing.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The agent directly fetches and parses untrusted public endpoints (e.g., scripts/agent.py's discover_oidc_config which GETs {base_url}/.well-known/openid-configuration and then uses the returned authorization_endpoint/token_endpoint to drive further requests and assessments), so external site content can influence its actions.