jshook-reverse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly includes commands that read and display sensitive values (e.g., debug-eval document.cookie, watch "userData.token", hook-data/view captured network data) which would require the agent/LLM to output secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's documentation and workflow (e.g., "collect " / "collect https://target.com" and "page navigate " in SKILL.md and README) explicitly fetch and ingest arbitrary public web pages and their inline/external scripts for AI-driven deobfuscation and dynamic analysis (deobfuscate, understand, debug-eval, hook, breakpoint), so untrusted third‑party content is read and can materially influence debugger/hook/automation actions.