performing-graphql-introspection-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's example code and workflows embed Authorization headers and plaintext credentials (e.g., "Bearer ", user passwords) directly into HTTP requests and generated queries, which would require an agent to insert secret values verbatim into outputs/commands, creating exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content implements explicit offensive capabilities — full schema extraction (sensitive-field discovery), alias-based credential brute-forcing (bypassing per-request rate limits), schema reconstruction via error messages, and multiple resource-exhaustion (DoS) techniques — which are deliberate abuse behaviors for data exfiltration, credential theft, and service disruption.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and parses responses from arbitrary GraphQL endpoints (see SKILL.md Step 1 probing TARGET paths, Step 2 full introspection, Step 4 error-based schema reconstruction) and scripts/agent.py (run_introspection/test_depth_limit) which ingest untrusted third-party response content and use it to drive further queries and attacks, so external content can materially influence subsequent tool actions.