implementing-taxii-server-with-opentaxii

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes plaintext credentials in config and example code (e.g., "admin_password_change_me", hardcoded username/passwords, and patterns that embed tokens in Authorization headers), which requires the agent to handle or reproduce secret values verbatim in outputs—an insecure pattern that enables exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and scripts (SKILL.md TAXIIConsumer.poll_collection and extract_iocs_for_siem, plus scripts/agent.py's check_taxii2_discovery and raw HTTP fallback) fetch and parse STIX objects from arbitrary TAXII server URLs (user-specified/open endpoints) and then act on those indicators (e.g., pushing IOCs to Splunk/Elasticsearch), meaning untrusted third-party content is ingested and can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The docker-compose runtime runs "pip install medallion" which fetches and then executes the medallion package from PyPI (e.g., https://pypi.org/project/medallion), so the skill will fetch and run remote code at runtime and depends on it to start the TAXII server.