exploiting-deeplink-vulnerabilities

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). Contains explicit exploit tooling and payloads (redirects to attacker domains, JavaScript fetches that exfiltrate cookies, file:// access to app data, instructions to build malicious apps that hijack URL schemes/intents) that enable data exfiltration, credential theft and intent hijacking — capabilities that are clearly abusive if used against targets.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow explicitly instructs fetching public site files (e.g., "curl https://target.com/.well-known/apple-app-site-association" in SKILL.md and checking https://domain/.well-known/assetlinks.json) and the agent is expected to read/interpret those third-party JSON files to decide App Links/Universal Links verification and subsequent tests, so untrusted web content can materially influence its actions.