exploit-xss

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a fully-featured XSS exploitation toolkit containing explicit data-exfiltration payloads (fetch/new Image/script src to attacker-controlled domains and interactsh/burpcollaborator), SVG XXE/SSRF payloads, template-engine/server‑side RCE strings (constructor.constructor / process.exec / Jinja payloads), dynamic-eval and encoded/obfuscated payloads, service-worker/workers for persistence, WebSocket exfiltration vectors, and scripts that generate/save exploit files — all of which directly enable stealing secrets, remote code execution, and persistent abuse if misused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md instructs the agent to run scanners (e.g., dalfox, XSStrike, xspear) and pipelines that fetch and analyze arbitrary public URLs and user-generated content (e.g., "dalfox url 'https://target.com...'", "waybackurls target.com | dalfox pipe", and DOM/HTTP response analysis steps), so the agent is expected to ingest untrusted third‑party web content and act on findings.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisites and examples instruct fetching and running external tooling (e.g., git clone https://github.com/s0md3v/XSStrike and git clone https://github.com/hahwul/dalfox.git / go install github.com/hahwul/dalfox/v2@latest), which would fetch remote code that is then executed as part of running the skill and are presented as required dependencies.