testing-mobile-api-authentication

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs embedding authentication tokens and credentials directly into commands (e.g., Authorization headers and shell variables) and to decode/use JWTs, which requires inserting secret token values verbatim into generated requests/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's scripts and workflow (SKILL.md, scripts/agent.py, and scripts/process.py) actively send requests to a user-specified base_url and endpoints (discover_auth_endpoints, test_no_auth_access, analyze_jwt, test_idor, etc.), decode and interpret JWTs and API responses from arbitrary third-party targets, and use those untrusted responses to drive testing decisions and findings—so it clearly ingests untrusted third-party content that can influence behavior.