testing-for-xss-vulnerabilities-with-burpsuite

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content is a dual‑use XSS testing guide and companion script that intentionally includes explicit data‑exfiltration proof‑of‑concept payloads (cookie theft, keylogger, screenshot upload to attacker-server.example.com and references to blind XSS services), which are deliberate malicious actions if used outside an authorized test, while the agent script itself contains no hidden backdoor or remote‑code execution but automates payload injection and reflection detection that can facilitate exploitation.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and parses arbitrary target web pages (see scripts/agent.py: requests.get usage in find_reflection_points, fuzz_xss_payloads, test_stored_xss_endpoints, analyze_csp and the SKILL.md crawl/scan steps), treating untrusted webpage content as input that drives fuzzing and scan decisions, so third-party content can materially influence agent actions.