performing-web-cache-deception-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill repeatedly instructs embedding session cookies and sensitive tokens into curl commands (e.g., curl -b "session=VICTIM_SESSION") and directs searching/exfiltration of API keys/tokens, which requires the agent to handle and potentially output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content explicitly documents and automates a technique to exfiltrate authenticated user data via web-cache-deception (including social-engineering steps, indicators to harvest PII/tokens, and a script to detect/confirm cached sensitive responses), which is a deliberate offensive capability that can be abused to steal credentials and sensitive information.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow and code (SKILL.md and scripts/agent.py) explicitly fetch arbitrary public web pages (curl to http://target.com/* and requests.get to a user-supplied target_url), parse and compare the returned HTML for PII and cache status, and use those results to drive vulnerability findings and follow-up actions, so it consumes untrusted third-party content that can materially influence the agent's decisions.