testing-for-host-header-injection

SUSPICIOUS: the skill is internally consistent as a host-header-injection testing guide, but it gives an AI agent offensive security capabilities, including SSRF probing, internal host enumeration, token-theft validation, and OOB callback collection via interact.sh/Burp Collaborator. There is little supply-chain risk, but the operational risk is high because the skill can be used directly against live systems and capture sensitive data from targets.