ctf-web

This fragment is offensive-security documentation containing explicit credential-harvesting and data-exfiltration examples (including writing harvested passwords to `/dev/shm/creds.txt` and sending stolen data to an attacker-controlled endpoint), plus many described auth/bypass and RCE attack chains. It is not actual dependency/library code, so there is no direct evidence of supply-chain malware behavior from this fragment alone; nevertheless, the included payload logic is highly indicative of malicious intent if repackaged into runnable code. High security risk for misuse; low evidence of true dependency compromise based on the provided content context.

SUSPICIOUS: the skill is internally consistent as a CTF exploitation guide and uses mostly legitimate install sources, but its actual function is to equip an AI agent with high-risk offensive security capabilities. This is not clearly malicious or credential-harvesting by the publisher, yet it is dangerous because it enables automated exploitation, secret extraction, and attack execution beyond a narrow benign development purpose.

The fragment serves as a threat-research catalog detailing numerous established attack surfaces across multiple runtimes and deployment stacks. There is no active malware or payload in the fragment itself, but the breadth of patterns informs defense teams to audit inputs, deserialization policies, container boundaries, access controls, and supply-chain hygiene. Treat it as a risk checklist for dependency and configuration hardening rather than an executable exploit, and ensure mitigations cover SSRF, LFI/RCE, deserialization, template injection, and protocol-level smuggling across the stack.