performing-web-application-scanning-with-nikto

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed credentials directly on the command line (e.g., nikto -id admin:password and proxy URLs), which requires the agent to include secret values verbatim in generated commands—an insecure pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs Nikto against arbitrary targets supplied via CLI or a targets file (see SKILL.md "Step 4: Scan Multiple Targets" and scripts/process.py which reads --targets/targets.txt) and then parses the scanner's XML/STDOUT outputs (scripts/agent.py and scripts/process.py) to classify findings and drive decisions (e.g., CI/CD "Block Deploy"), meaning it ingests untrusted public web content that can materially influence actions.