Security

The WebAssessment skill is a capability-rich orchestration tool for automated web security testing. Its stated purpose matches the capabilities provided (recon, fuzzing, Playwright automation, threat modeling). However, several security concerns arise: it mandates an immediate local network POST (curl to localhost), executes other local skill tools (transitive execution / supply-chain risk), and allows arbitrary local customizations to override behavior. The skill enables autonomous active testing without enforced per-action authorization, increasing potential for misuse or accidental unauthorized scanning. Overall this is not directly malicious (no evidence of hardcoded exfiltration endpoints or obfuscated payloads), but it is high-risk operationally: use requires strict operational controls, explicit authorization, and review of all local tool code and customization files before invocation.

The skill is coherently aligned with a defensive security testing purpose focused on prompt injection assessment and jailbreaking techniques, and it leverages local signaling and workflow orchestration. However, several patterns present supply-chain and data-flow risks: mandatory curl-based localhost signaling could be repurposed in an unintended environment, the workflow references external resources and attack techniques, and there is potential exposure of sensitive scope details via customization loading. Overall: the footprint is suspiciously aggressive for a defensive tool and warrants strict access controls, auditing, and environment isolation. The risk is elevated by the reliance on executable network calls and external resource references, even if clearly labeled for authorized use. The content should be used only within tightly controlled, auditable engagements with explicit authorization and governance in place.

Benign: The fragment describes a coherent routing schema for a security assessment agent, directing tasks to domain-specific SKILL.md modules. There are no apparent credential requirements, external downloads, or data flows that would pose security risks within this fragment. Ensure future sub-skills maintain strict data handling and avoid leaking credentials across modules.

This document is a detailed, actionable playbook for indirect/prompt injection and RAG poisoning. It enumerates sources, payload techniques (hidden text, metadata, JSON fields, scripts), and stepwise attack flows targeting ingestion, indexing, and model prompt composition to override system prompts or cause cross-user contamination. While it is framed as a defensive testing guide, the content is dual-use and can readily be used to perform real-world attacks against AI systems that process external content. It contains no obfuscated executable code or direct system-level malware, but it presents a significant operational risk if misused. Recommended handling: treat as sensitive attack guidance, restrict distribution, and apply the listed mitigations (sanitization, instruction filtering, user isolation, output filtering).

This skill is a news-aggregation/summary agent with expected behaviors: reading a local state file, fetching configured public news sites, parsing and formatting results, applying optional local customizations, and writing an updated state. I found no code that sends data to external attacker-controlled hosts or executes downloaded binaries. The main risks are operational: (1) fetching and automatically processing arbitrary web content can enable content-based injection or manipulation of outputs unless parsing/sanitization is constrained; (2) user-provided customization files in ~/.claude/... can override behavior and should be treated as trusted local inputs — if an attacker has local write access they can change skill behavior; (3) the unconditional silent curl POST to localhost is unusual and should be documented/approved by the user (it could be benign but performing silent network activity is surprising). Overall, the skill appears functionally coherent with its stated purpose, with no direct evidence of malware or credential harvesting. Recommended mitigations: require explicit user consent before sending notifications, validate and sandbox fetched content parsing, restrict what local customization files can change, and protect the state file from tampering.

The AnnualReports skill's stated purpose (aggregating and analyzing annual security reports) is plausible and most requested file/network access aligns with that purpose. However, there are several supply-chain and autonomy risks: the skill mandates an immediate POST to a local HTTP endpoint before any other action, auto-loads user customization files that can change runtime behavior, and executes local TypeScript tools via `bun run` which runs arbitrary code from the skill tree. These create transitive-execution and potential exfiltration vectors. I assess the package as suspicious/vulnerable rather than confirmed malicious. Recommend removing or gating the mandatory curl action, restricting and documenting exactly what the Tools/*.ts scripts do, avoiding automatic execution of unverified upstream code, and requiring explicit user consent before any network or code execution. If used, run the tools in a restricted sandbox and audit the Tools/*.ts scripts and any fetched sources before execution.

This artifact is a high-value, dual-use playbook for multi-stage prompt-injection and social-engineering attacks against conversational AI. It contains practical templates and obfuscation techniques that materially lower the effort required to bypass weakly configured models. While not executable malware, it meaningfully increases risk to systems without robust multi-turn protections, provenance tracking, and obfuscation/role-play defenses. Recommend restricted handling, review of referenced payload repositories, and implementation of defenses described in recommendations.

This is a comprehensive, dual-use OSINT automation playbook and set of orchestration scripts intended for authorized reconnaissance and monitoring. The code and documentation do not contain obvious malware, obfuscation, or backdoors, but they enable potentially harmful actions (credential testing, social engineering, stealthy scanning) and include insecure command construction patterns that could allow command injection if inputs are malicious. Treat as benign tooling for authorized use with strict operational controls: sanitize inputs, secure API keys, protect stored outputs, and enforce legal/ethical authorization before active testing.

The Recon skill is appropriately scoped for OSINT and authorized network reconnaissance, with passive-by-default operation and explicit authorization required for active scans. The design is coherent and industry-aligned, though the local notification mechanism and environment-based API keys introduce non-trivial risk vectors that require strong access controls and auditing. Treat as SUSPICIOUS-to-BENIGN overall, with emphasis on enforcing authorization, securing secrets, and auditing all active recon actions.

This file is a legitimate penetration-testing exploitation guide and PoC template that contains explicit, actionable exploit payloads and tooling commands for web and infrastructure vulnerabilities (SQLi, XSS, SSRF, XXE, CSRF, file upload). It is not executable malware and contains no obfuscated code, hardcoded credentials, or direct network operations. The primary risk is informational: it lowers the bar for attackers by providing ready-to-run examples and chaining strategies. Treat the document as sensitive instructional material—use only with explicit authorization and consider removing or restricting distribution in consumer-facing packages.