fuzz

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill demonstrates embedding sensitive tokens and session cookies directly into command-line headers (e.g., Authorization: Bearer , Cookie: session=), which requires the agent to include user secrets verbatim in generated commands/requests and therefore poses a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs running ffuf against arbitrary public targets (e.g., "ffuf -u https://TARGET/FUZZ" and "ffuf -u https://FUZZ.TARGET.com"), so the agent would fetch and interpret untrusted third‑party web content as part of its workflow which can materially affect subsequent fuzzing actions.