dragonjar-android-pentesting-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs extracting and reporting hardcoded secrets (grep patterns for sk_live_/ghp_/AIza..., evidence fields in findings JSON, string-extraction commands and reporting), which will cause an agent to capture and output secret values verbatim into reports or console output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests and analyzes untrusted APKs and their decompiled assets (e.g., scripts/auto-audit-static.sh and scripts/02-rasp/runtime-defense-analyzer.sh operate on /path/to/app.apk and produce findings-rda.json), and those findings are used to generate and execute follow-up tooling commands (rasp-bypass-runner.sh, Frida invocations), so attacker-controlled app content can materially influence agent decisions and tool use.