web-reverse

This script is a legitimate-looking API replay/reconstruction tool that builds HMAC signatures and sends authenticated requests using captured credentials. It does not contain obfuscated or self-propagating malware, but it does include hardcoded sensitive data (APP_KEY, SECRET, TOKEN) and performs network requests — making it potentially dangerous in a supply-chain context if real secrets are present. Treat any published package containing similar code and real credentials as high risk and remove secrets from source. Recommend rotating any keys/tokens present in code and performing a package audit before use.

SUSPICIOUS/HIGH-RISK skill. Its capabilities are internally consistent with its stated purpose, but that purpose is itself an offensive reverse-engineering toolkit for an AI agent: tracing cookies/tokens, bypassing anti-debugging, reconstructing signing logic, and replaying protected requests. Tool provenance is mostly official, so this is not confirmed malware, but it materially increases the agent’s ability to perform security-sensitive and potentially unauthorized actions against web targets.