exploit-xss

No clear evidence that this module contains covert malware (no backdoor/persistence/credential theft/exfiltration logic). However, it is a clearly dual-use active security testing tool that injects XSS/DOM-style payloads over WebSockets, performs staged “stored” probing, discovers endpoints from HTML, and can send user-supplied payloads verbatim. The primary risk is misuse: unauthorized active probing and potential exploitation attempts, plus operational data exposure via logging/output.

No clear evidence of covert malware, backdoor, or client-side data theft is present in this module. However, it is an active, dual-use web security probing tool: it contains explicit XSS/mXSS and template-injection-style payloads and automatically sends them via HTTP GET to user-supplied targets, then reports reflection/mutation heuristics. The primary security risk is misuse/abuse (and potential impacts when used against unauthorized or sensitive systems), not supply-chain sabotage.

This code is best characterized as an offensive, misuse-prone web vulnerability probing tool. It actively injects a large set of framework-specific XSS payloads into a user-supplied query parameter, sends them to the target via HTTP GET requests, and evaluates reflection in the response body. The payload sets include high-risk gadget/RCE-oriented strings (not merely benign XSS markers). While there is no clear evidence of data theft, persistence, or stealth exfiltration within this fragment, its capability to automate exploitation attempts against arbitrary targets makes it a significant security risk. The provided snippet also appears syntactically broken/incomplete, which reduces confidence in execution but not the intent demonstrated by the payloads and network probing behavior.

SUSPICIOUS/HIGH-RISK skill. The capabilities are internally aligned with offensive XSS testing, but this is an exploit-focused AI agent skill that enables real external attacks, blind callback collection, and WAF/CSP bypass workflows. Install sources are mostly coherent rather than deceptive, so this is not confirmed malware, but it is high security risk by design.

This module is an offensive blind-XSS exploitation/testing tool, not a passive security checker. It automatically discovers forms, prioritizes likely message/contact endpoints, and submits attacker-crafted XSS payloads that are explicitly designed to trigger in a victim browser and perform out-of-band network actions. Critically, it includes payloads that attempt to steal exfiltrate sensitive browser data (document.cookie) to attacker-controlled infrastructure, with a hardcoded malicious fallback domain when no callback is provided. This behavior represents a high supply-chain security risk if included in any package without strict authorization controls and clear defensive purpose.

This code is offensive SVG XSS exploitation tooling. It not only tests for SVG injection and reflection/storage behaviors over the network, but it also generates an exploit SVG that can execute in a victim browser and exfiltrate document.cookie to an attacker-controlled callback URL. If present in a dependency, it represents a serious security threat (malware-like capability) rather than a safe security utility; snippet-level syntax issues lower runtime certainty but do not mitigate the explicit cookie theft design.