saas-session-recon

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs extracting full cookie/token values (including HttpOnly via network captures) and embedding them verbatim into test commands (bun/curl/fetch) and credential-extraction recipes, which forces the agent to handle secrets directly despite a note to only show prefixes.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill is explicitly authored to locate, extract, and reuse browser session credentials (including HttpOnly cookies and tokens), to bypass OAuth/admin controls by proxying authenticated browser sessions via an extension and agent process (e.g., computing SAPISIDHASH, using native messaging to set Origins), which constitutes a clear recipe for credential theft, unauthorized API access, and data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill autonomously navigates to and scrapes live third‑party web apps and documentation (e.g., via navigate/read_page, read_network_requests, javascript_tool to enumerate cookies/localStorage and capture Set-Cookie/response headers, plus bun fetch of external docs in Phase 2.5), treating that untrusted web content as input to decide tests and generate credential‑extraction recipes — meeting all criteria for indirect prompt‑injection risk.