conducting-internal-reconnaissance-with-bloodhound-ce

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples that pass plaintext passwords on the command line (e.g., bloodhound-python -p 'Password123') and instructs retrieving the initial admin password from logs, which are insecure patterns that could require embedding secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content explicitly documents and automates Active Directory offensive operations—deploying collectors to compromised hosts, instructions to exfiltrate ZIPs, low-noise/stealth collection modes, and queries that identify Kerberoastable/AS-REP accounts, ACL abuse, DCSync capabilities and delegation abuse—clearly facilitating credential theft, data exfiltration, and privilege-escalation attack paths and thus poses high malicious intent if used outside authorized engagements.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required Phase 1 deployment step instructs fetching and running a public docker-compose file (SKILL.md: "curl -L https://ghst.ly/getbhce -o docker-compose.yml"), which is an open/public third‑party artefact that the workflow requires deploying and then interacting with (web UI/API), so untrusted content can influence runtime behavior and subsequent agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's deployment instructions run curl -L https://ghst.ly/getbhce -o docker-compose.yml and then docker compose up -d, which fetches a remote docker-compose file at runtime and executes it—so the URL (https://ghst.ly/getbhce) provides required external content that directly controls execution.