fiddler-traffic-debugging

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires inspecting request/response headers and bodies (explicitly including auth headers and cookies) and optionally including header/body "Evidence" in the report, which can force the model to output verbatim bearer tokens, API keys, cookies, or passwords from the captured traffic, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to pull and inspect captured HTTP sessions via the Fiddler MCP tools (e.g., GetSessions and GetSessionDetails) and to read request/response bodies and headers from those sessions, which can include arbitrary, untrusted public web content captured from third-party sites.