Once they clicked the link, the attacker could get a list of all installed Alexa "skills" - or apps - and steal a token allowing them add or remove skills. One way to use the flaw would be to ...