sniff

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs capturing HTTP auth headers, cookies, POST data and then listing "Usernames, passwords, session tokens, and API keys captured" in the summary, which requires the agent to output secret values verbatim and therefore creates an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This workflow explicitly instructs harvesting HTTP credentials, cookies, POST data and extracting transferred files and detecting DNS tunneling — actions that directly enable credential theft and data exfiltration (high-risk dual‑use); no hidden backdoor or remote‑execution constructs were observed.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to capture and read HTTP request/response bodies, cookies, POST data, DNS queries, and to export files from live interfaces or .pcap files (see "HTTP Credential Capture" and "File Extraction" with tshark --export-objects and POST/cookie capture commands), which are arbitrary untrusted third-party web/content that the agent must interpret and which could materially influence follow-up actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt explicitly tells the agent to recommend running with sudo (e.g., "suggest running with sudo or using sudo tshark directly") which encourages obtaining elevated privileges, though it does not instruct modifying system files or creating accounts.