burpsuite-project-parser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to retrieve and emit request/response headers and (truncated) bodies from Burp projects — which can contain Authorization headers, cookies, API keys or passwords — and does not require redaction, so the LLM could output secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill invokes burpsuite-project-file-parser on user-supplied Burp project files (see SKILL.md commands like "{baseDir}/scripts/burp-search.sh project.burp responseBody='...'" and the scripts/burp-search.sh entrypoint) and explicitly instructs the agent to search and interpret response headers and bodies from captured web traffic (arbitrary third-party web/forum content), so untrusted third-party content is ingested and can influence subsequent actions.