bb-local-toolkit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill contains explicit PoC templates and command examples that embed or exfiltrate secrets (e.g., curl ${secrets.TOKEN}, gh issue payloads that cat $GITHUB_ENV), which instructs producing outputs that include secret values verbatim and thus create exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document contains numerous explicit, actionable offense playbooks (PoC commands, payloads and step-by-step chains) that directly enable credential theft, secret exfiltration, remote code execution, persistence (self‑hosted runner takeover / Runner‑on‑Runner), artifact/cache poisoning and supply‑chain compromise—capabilities that are readily abuseable for malicious backdoors and data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the SKILL.md explicitly instructs fetching and interpreting open/public third‑party content (e.g., Recon steps using waybackurls/gau/katana, Phase 1 URL/JS scraping, and Phase 2 "Read Disclosed Reports" with curl to HackerOne GraphQL) and then using those findings to drive follow‑on tests and actions, which clearly exposes the agent to untrusted, user‑generated content that could supply indirect prompt instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The INSTALLATION section tells operators to clone or curl the remote skill from https://github.com/shuvonsec/claude-bug-bounty.git (and the raw file https://raw.githubusercontent.com/shuvonsec/claude-bug-bounty/main/SKILL.md) which, once installed, will be loaded as SKILL.md by Claude Code and therefore remote content would directly control agent prompts/instructions and is a required dependency.