conducting-spearphishing-simulation-campaign

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content is a clear, actionable blueprint for malicious phishing operations—detailing credential-harvesting pages, MFA bypass tools, HTML smuggling and encoded payload delivery, macro/LNK/ISO execution chains, C2 callbacks, and infrastructure setup to evade email defenses—indicating intentional facilitation of credential theft, data exfiltration, and remote compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs fetching and importing public third‑party webpages (e.g., "Import Site: https://login.microsoftonline.com" in references/workflows.md and the workflow/Phase 3 steps to "create landing pages" and use wget to download releases from GitHub), so the agent will fetch and interpret untrusted external web content as part of its workflow, which can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflow explicitly runs a runtime fetch and install of the GoPhish binary via wget (https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip) which downloads remote executable code that is unzipped and started (./gophish), meeting the criteria of fetching and executing remote code as a required dependency.