essential-tools

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content contains explicit, actionable malicious patterns (cookie/token exfiltration payloads to attacker domains, examples of executing remote shell scripts via curl|bash and base64 obfuscation, automated credential stuffing flows, SSRF/cloud metadata theft techniques, and instructions for out‑of‑band callbacks) that enable deliberate data exfiltration and remote compromise if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Playwright automation workflow (reference/playwright-automation.md), including explicit steps like "playwright_navigate to load target page" and subsequent snapshot/evaluate/network inspection, requires the agent to fetch and interpret arbitrary public web pages (and Burp Collaborator callbacks) as part of its decision and exploitation workflow, exposing it to untrusted third-party content that could carry indirect prompt-injection instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly configures and relies on the Playwright MCP server to run at runtime via npx/@executeautomation/playwright-mcp-server (see https://github.com/executeautomation/playwright-mcp-server), which fetches and executes remote code as a required dependency.