exploiting-mass-assignment-in-rest-apis

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds Authorization headers and token arguments directly in example curl/CLI commands (e.g., "Authorization: Bearer USER_TOKEN" and --token "Bearer USER_TOKEN"), which instructs including secrets verbatim in generated requests/commands and therefore poses an exfiltration risk even if placeholders are shown.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an exploitation playbook (with an automation script) that explicitly instructs and automates privilege escalation, financial manipulation, verification bypass, and account takeover techniques—facilitating deliberate abuse if used without authorization.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and code explicitly fetch and parse arbitrary API responses (see SKILL.md curl commands to http://target.com/api/users/me and docs and scripts/agent.py's get_baseline_response/test_mass_assignment which call and JSON-decode third-party endpoints) and uses those untrusted responses to decide tests and findings, so external content can materially influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly instructs sending crafted API requests to modify monetary and business-logic fields (examples include changing "balance", "price", creating orders with price 0.01, applying 100% discounts, and setting subscription price to 0). Those example payloads are direct actions that alter financial state (balances, order prices, subscriptions) and are explicitly aimed at achieving financial impact (financial loss, free purchases, subscription upgrades). This is not generic browsing or testing guidance only — it contains concrete, actionable commands to execute transactions/modify monetary values. Therefore it provides direct financial execution capability.