web-exploits

This file implements an unauthenticated remote web shell that executes arbitrary shell commands provided via HTTP and returns results to the requester. It presents a severe security risk: remote code execution, data exfiltration, and the ability to establish persistence or pivot. If found in a codebase unintentionally, treat as malicious/backdoor and remove or restrict immediately. If intended for administration, it must be replaced with a secure alternative: strong authentication, authorization, command whitelisting, input validation, TLS, network restrictions, and audit logging.

This skill/instruction set is an offensive, high-action web-exploitation toolkit: its claimed purpose (web exploitation) matches its content, but many included artifacts (webshells, reverse shells, cookie exfiltration to attacker domains, RCE/SSTI exploitation chains) are explicitly malicious and highly actionable. For a CTF or authorized penetration test context it is plausible; for inclusion as a general-purpose public AI skill it poses significant misuse risk. Recommend treating as suspicious/high-risk: restrict access, require explicit authorization, and remove direct exfiltration/webshell artifacts from publicly accessible skills.

The code acts as a CSRF token grabber/submission utility. It is not inherently malicious but poses security risks in production due to a local proxy, disabled TLS verification, and verbose token logging. Use should be restricted to authorized security testing; remove proxy defaults, enforce SSL verification, and implement safeguards for logging and authorization.

This is an offensive/security-testing utility that crafts and uploads webshells and polyglot files to detect file-upload filter bypasses and potential remote code execution. It is dual-use: appropriate for authorized security assessments but clearly malicious if used without permission. There is no obfuscation or hidden exfiltration logic, but the presence of raw webshells and aggressive bypass tests presents a high operational risk if abused. Use only with explicit authorization.