pentesting-web-apps

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes examples and scripts that capture and reuse secrets (session cookies, JWTs) and shows passing them verbatim on the command line (e.g., --cookie-header "session=..."/--jwt-file), which requires the agent to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly crawls and fetches content from the supplied target URL (Playwright in scripts/playwright-crawl.mjs, OWASP ZAP in scripts/crawl-surface.sh, and ffuf/feroxbuster) and then parses discovered pages/forms/requests to generate and drive follow-up probes (scripts/injection-probes.sh, logic-tester.sh), so untrusted third‑party page content directly influences subsequent tool actions.