js-reverse-mcp-debugging

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill exposes tools that read full request bodies, scope variables, WebSocket payloads and even searches for apiKey patterns (e.g., evaluate_script returning window.secretVar and get_websocket_messages returning full payloads), so an agent using this skill would likely receive and could be expected to output secret values verbatim, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The localhost and example.com URLs are benign placeholders, but the GitHub repo (github.com/zhizhuodemao/js-reverse-mcp) plus instructions to run npx packages and auto-download a CloakBrowser binary from an unvetted author/domain create a clear vector for arbitrary code execution and untrusted executable distribution, so this set is moderately-to-highly suspicious.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This is high-risk: the skill intentionally implements anti-detection (protocol-layer and binary "cloak") and persistent fingerprint/profile spoofing plus powerful in-page evaluation, breakpoint/context inspection, and passive network/WebSocket capture — capabilities that clearly facilitate stealthy credential/session theft, data exfiltration, stealthy scraping/automation, and supply-chain/binary-download risks (npx/cloakbrowser downloads).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md workflows explicitly navigate to arbitrary public URLs (e.g., new_page/navigate_page with "https://example.com") and then read and act on fetched page content and assets via tools like list_scripts, get_script_source, search_in_sources, get_websocket_messages and list_network_requests, meaning untrusted third‑party webpage/script content is ingested and used to drive breakpoints, evaluations, and other agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs running remote packages (e.g., "npx js-reverse-mcp") and provides the repository URL https://github.com/zhizhuodemao/js-reverse-mcp.git — these commands/downloads fetch and execute remote code (and the optional "npx cloakbrowser install" downloads a binary), so external content would be executed and relied on by the skill at runtime.