testing-api-security-with-owasp-top-10

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds bearer tokens/JWTs directly in curl commands and assigns a TOKEN_A variable used verbatim in Authorization headers, which requires the agent to include secret values in generated commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's agent (scripts/agent.py) and the required workflow (SKILL.md) explicitly fetch and parse responses from arbitrary API base URLs (e.g., curl/ffuf calls to https://api.target.example.com and requests.get/requests.post to the provided base_url), treating those untrusted API responses as data that influence vulnerability findings and subsequent testing decisions, which could allow malicious third-party content to indirectly alter agent behavior.