Xss Scanner

The skill's code and instructions align with a professional XSS scanner: nothing requests unrelated credentials or installs, but it contains expected offensive payloads and network behavior that must only be used on authorized targets.

This package appears coherent for authorized security testing, but it contains intentionally malicious-looking XSS payloads (including ones that fetch/exfiltrate document.cookie to external domains) and a blind-callback feature and proxy loader that perform network requests. Only install/use this on targets you own or have explicit written permission to test. Before using in shared/chat environments: (1) review/replace any hardcoded callback domains (e.g., 'evil.com') with your own collector or remove exfiltration-style payloads; (2) be aware the Discord wrapper runs the scanner as a subprocess and may run long scans; (3) the proxy rotator fetches public proxy lists from third-party raw URLs — verify these sources if you require provenance; (4) inspect licensing/upgrade URLs if you do not want external payment links printed. If you need higher assurance, run the scanner in an isolated environment and audit network traffic during its first runs.