Cloud Penetration Testing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly shows and instructs embedding and extracting secrets verbatim (e.g., passing --secret_access_key, --password, exporting service principal secrets to plaintext, importing/storing stolen token files and using Get-Credential), which requires the LLM to handle secret values directly and risks exfiltration.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content contains explicit, actionable instructions for credential theft (dumping secrets, extracting tokens), data exfiltration (s3 sync/gsutil cp/Runbook/job output export), privileged persistence and backdoors (creating/resetting service principals, adding to Global Admin, creating access keys/users), and evasion techniques (IP rotation, slow enumeration)—all showing deliberate malicious/persistent abuse patterns.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs fetching and ingesting untrusted public content — e.g., curl against login.microsoftonline.com and other public endpoints, aws s3 ls/s3 sync to download arbitrary S3 buckets, and cloning/parsing public GitHub/repos (cloud_enum, ScoutSuite outputs) — and the workflow expects the operator/agent to read and act on those results, so third-party content can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes required setup commands that fetch and execute remote installers at runtime (e.g., curl https://sdk.cloud.google.com | bash and curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o awscliv2.zip && unzip awscliv2.zip && sudo ./aws/install), so these URLs permit remote code execution as required dependencies.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly includes commands that run installers and file operations with sudo (e.g., "sudo ./aws/install", "sudo find /home ...", "sudo cp -r /home/user/.config/gcloud ...") and curl|bash installers that modify the host environment, so it directs the agent to perform privileged changes to the machine it runs on.