ffuf-web-fuzzing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly shows and encourages embedding bearer tokens, session cookies, and user-provided auth tokens into raw request files and command examples (e.g., req.txt and -H "Authorization: Bearer TOKEN"), which requires the LLM to accept and reproduce secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the assistant to analyze user-provided ffuf outputs and authenticated request files (see "Notes for Claude" in SKILL.md and the ffuf_helper.py analyze function which reads results.json, plus workflows that ask the agent to "analyze ffuf results" and act on anomalies), meaning it ingests untrusted, public-target-derived content (ffuf scan results / HTTP responses) that can materially influence follow-up actions.