testing-api-security-with-owasp-top-10

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds and uses literal bearer tokens (e.g., TOKEN_A="Bearer eyJhbGciOiJIUzI1NiIs...") and instructs building curl requests with Authorization headers, which requires including secret/token values verbatim in generated commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill (notably scripts/agent.py and the SKILL.md examples) issues HTTP requests to a user-supplied base_url (e.g., https://api.target.example.com) and parses response bodies and headers in functions like test_data_exposure, test_bola, test_security_headers, and test_cors, so untrusted third-party API responses are ingested and directly influence findings and subsequent behavior.