ctf-forensics

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.95). The content is presented as a defensive CTF forensics guide but embeds many explicit, actionable offensive techniques and tooling (RID recycling, Timeroasting/MS‑SNTP, dnscat2/DNS covert channels, USB HID/LED exfiltration, keystroke recovery, memory key extraction, credential cracking, remote command execution via WMI/WMIC/wmiexec, RC4/stream-key extraction, TLS/RSA key recovery, etc.) which are dual‑use and can be directly repurposed to perform credential theft, covert exfiltration, remote compromise, and persistence/backdoor activity.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's instructions explicitly direct fetching and interpreting content from public third-party sources (e.g., mempool.space API for TX lookup, gitdumper.sh against https://target/.git/, and aws s3 ls --no-sign-request for public buckets), which are untrusted/user-controlled and are used in workflows that influence subsequent forensic actions and decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill includes explicit system-level commands that require elevated privileges (e.g., apt install, sudo mount -o loop,ro, cryptsetup/veracrypt mounting) and thus directs actions that modify the host system state and require/assume sudo access.