performing-network-forensics-with-wireshark

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill includes a curl example that embeds an API key header (x-apikey: YOUR_API_KEY) and commands that extract plaintext credentials from PCAPs, which instructs an agent to include secret values verbatim in requests/output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md workflow (Step 3) explicitly fetches and parses public VirusTotal API responses via curl ("https://www.virustotal.com/api/v3/files/$hash") and also downloads NetworkMiner from netresec.com, and the parsed VirusTotal JSON is used to label files as "malicious" in the analysis, so untrusted third‑party content is ingested and can materially influence the agent's decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime workflow downloads and executes a remote binary (NetworkMiner) from https://www.netresec.com/?download=NetworkMiner (wget ... unzip ... mono /opt/NetworkMiner/NetworkMiner.exe), which fetches remote code and runs it as part of the required analysis steps.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs installing system packages with sudo and writing to system paths (e.g., "sudo apt-get install wireshark tshark", installing mono, and extracting to /opt), which requires elevated privileges and modifies the host state.