exploiting-server-side-request-forgery

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs retrieving cloud instance credentials (IMDS endpoints) and shows follow-up actions that assume exfiltrated AccessKeyId/SecretAccessKey/Token (and uses an Authorization header placeholder), so an agent following it would likely need to handle or reproduce secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs are highly suspicious not as direct legitimate download hosts but as SSRF/exploitation payloads and attacker-controlled OOB endpoints (burpcollaborator/oast/rbndr, encoded/local IPs, cloud metadata addresses and redirect/credential tricks) that can be abused to exfiltrate credentials, pivot internally, or trigger retrieval of malicious payloads—so they pose a high security risk even if they aren’t direct .exe download links.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content explicitly documents and automates offensive SSRF techniques — including exfiltrating cloud metadata/credentials, internal network/port scanning, protocol-based attacks (gopher/dict/file) to achieve RCE (e.g., Redis webshell), and DNS rebinding — which are clear, intentional malicious behaviors/abuse patterns despite being framed for "authorized testing".

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and code (SKILL.md Step 1 and scripts/agent.py test_ssrf_endpoint/_check_success) explicitly send payloads that cause the target to fetch attacker-controlled public services (e.g., burpcollaborator.net, oast.fun, rbndr.us, interactsh) and then ingest and analyze the returned content, which can directly influence findings and subsequent actions.