testing-cors-misconfiguration

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These URLs are high-risk because they include attacker-controlled and "evil" domains, typosquatted hostnames (e.g., target.example.com.evil.com, target.example.com%60.evil.com), and collection endpoints that can host or orchestrate malicious payloads or exfiltrate data—even though no explicit executable filenames are present, the mix of malicious-looking domains and internal/loopback addresses (which can be abused) makes them suspicious.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). Although framed as a penetration‑testing guide, the content includes explicit exploit proof‑of‑concepts (HTML/JS) that instruct how to read victim-authenticated API responses (credentials included via withCredentials) and exfiltrate them to attacker-controlled endpoints; this is direct data‑exfiltration and credential theft capability and therefore presents clear malicious intent/abuse potential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's runtime workflow (scripts/agent.py and the SKILL.md curl examples) actively fetches and parses HTTP responses from arbitrary public target endpoints—e.g., test_origin_reflection and scan_endpoints in scripts/agent.py read Access-Control-Allow-* headers from third-party sites and use those values to determine severity and next actions—so untrusted third-party content is ingested and directly influences decisions.