api-tracer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill captures full request headers, cookies, and bodies and can generate curl exports and request details, which requires emitting secret values (Bearer tokens, API keys, cookies, passwords) verbatim in the output, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill attaches to Playwright-driven pages and records network requests and response bodies from arbitrary websites visited (see SKILL.md "操作页面" + lib/recorder.js _attachToPage which captures responseBody via CDP), then analyzes that untrusted third‑party content in lib/analyzer.js and lib/reporter.js to produce reports and curl commands that can influence subsequent actions.