exploiting-oauth-misconfiguration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs capturing and reusing client_secrets, access_tokens, authorization codes, and using them verbatim in curl commands and headers (e.g., client_secret=APP_SECRET, Authorization: Bearer $ACCESS_TOKEN), which requires the LLM to handle and output secret values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). High risk: the content deliberately describes and automates techniques to steal OAuth authorization codes/tokens and redirect them to attacker-controlled servers (exfiltration and credential theft) enabling account takeover and misuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The agent directly fetches and parses untrusted public endpoints (e.g., scripts/agent.py's discover_oidc_config which GETs {base_url}/.well-known/openid-configuration and then uses the returned authorization_endpoint/token_endpoint to drive further requests and assessments), so external site content can influence its actions.