skills/galiais/ctf-sandbox-orchestrator/competition-android-hooking/Snyk

competition-android-hooking

Fail

Audited by Snyk on Mar 31, 2026

Risk Level: CRITICAL

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs capturing plaintext inputs, signed strings, headers, nonces, tokens and then rebuilding/replaying requests (including signatures and headers), which requires handling and outputting secret values verbatim — a direct exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 1.00). 该技能明确指导绕过 SSL 钉扎和 root 检查、挂钩请求签名器、密钥/keystore、JNI 边界并记录明文输入、签名、头部和令牌，直接提供凭证窃取、敏感数据外传与会话重放的操作步骤，属于高度可被滥用的恶意能力集合。

Issues (2)

W007

HIGH

Insecure credential handling detected in skill instructions.

E006

CRITICAL

Malicious code pattern detected in skill scripts.

Audit Metadata

Risk Level

CRITICAL

Analyzed

Mar 31, 2026, 12:15 PM

Issues

2