nikto

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to embed credentials and session cookies directly into command lines (e.g., -id user:pass, -C "PHPSESSID=abc123" and authenticated-scan wrappers), which requires including secret values verbatim and creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs running nikto against arbitrary web targets (e.g., "nikto -h http://" and multi-host scans) and to ingest structured JSON output from wrapper scripts ("Always add -j for JSON output"), meaning the agent fetches and parses untrusted public web content whose responses can drive subsequent tool use and decisions.