shellcode-fluctuation

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). The GitHub repository contains C++ source and build instructions explicitly designed to encrypt/obfuscate in-memory shellcode and evade EDR (dual-use/offensive malware techniques), so it is a high-risk source for distributing malware despite being hosted on GitHub.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content documents deliberate malicious techniques—in-memory XOR encryption of injected shellcode, toggling RX/RW protections, integration with Cobalt Strike, and use of indirect syscalls to bypass hooks—clearly enabling obfuscated remote code execution/backdoor behavior and EDR evasion.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). SKILL.md's Quick Start explicitly instructs cloning a public GitHub repository (git clone https://github.com/mgeeky/ShellcodeFluctuation), which requires fetching and interpreting user-generated third-party code that can materially change execution or tooling decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs building and running code that modifies process memory protections, encrypts/decrypts injected shellcode, embeds Cobalt Strike payloads, and uses indirect syscalls to bypass EDR—actions that actively modify runtime/system state and facilitate malicious control.