performing-graphql-introspection-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's examples and workflow explicitly embed Authorization headers, bearer tokens, passwords, and other secrets directly into HTTP requests and GraphQL payloads (e.g., "Authorization: Bearer ", user_token/admin_token, and inline passwords), which requires an agent to include secret values verbatim in generated outputs/requests.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill explicitly implements offensive GraphQL attacks—full schema introspection and saving of schema, error-based schema reconstruction, alias-based batched login brute-forcing to harvest tokens, field-name brute-forcing, and multiple DoS/resource-exhaustion techniques (deep nesting, wide/aliased fields, large batched requests, circular fragments)—all deliberate abuse behaviors enabling credential theft and service disruption (no evidence of hidden backdoors, RCE, obfuscation, or external data exfiltration to third‑party servers was found).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill actively sends requests to arbitrary GraphQL endpoints and ingests their responses (e.g., SKILL.md Step 2 "Full Introspection Query" and scripts/agent.py's run_introspection which call requests.post to TARGET/GRAPHQL_URL and parse resp.json(), plus Step 4 error-based schema reconstruction), so untrusted third‑party content is read and directly drives subsequent analysis and attack behavior.