Privilege Escalation Methods

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly focuses on credential harvesting and lists "Extracted credentials and hashes" as deliverables and tools (e.g., Mimikatz) that retrieve secrets, so an agent using it would be expected to obtain and output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill content is explicitly written to enable post-exploitation abuse—detailing numerous privilege escalation techniques, credential theft methods (Mimikatz, NTDS.dit dumps, Kerberoasting, NTLM relays, LLMNR poisoning), persistence and remote code execution patterns (scheduled tasks fetching scripts from attacker servers, SUID/setuid binaries, service/GPO abuse), which together indicate deliberate malicious intent and backdoor behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs detailed post-exploitation privilege escalation (obtaining root/Administrator, extracting credentials, and establishing persistence), which directs an agent to modify and compromise the state of target machines.