java-route-tracer

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt explicitly claims "only output call-chain information, no vulnerability analysis", but then contains mandatory, detailed instructions to identify sinks, perform controllability/vulnerability analysis, and generate actionable Burp test payloads and tool calls—behavior outside and contradictory to the stated scope, so it's a deceptive/inconsistent instruction set.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill mandates generating complete HTTP request templates and "testing data packets" with actual values (e.g., cookies, host/IP, and values extracted from source or tests) and instructs extracting values from code/decompiled files, which can force the LLM to reproduce secrets/session tokens verbatim — creating an exfiltration risk.