exploiting-template-injection-vulnerabilities

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly contains commands and payloads that retrieve sensitive values (e.g., {{config.SECRET_KEY}}) and shows examples of embedding credentials in request headers (e.g., Authorization: Bearer token, Cookie: session=abc123), which would cause the agent/LLM to receive and potentially output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content is explicitly offensive and high-risk: it contains ready-to-run SSTI payloads and automation that achieve remote code execution, read sensitive files/secret keys, and enable automated scanning/exfiltration, which can be directly abused for unauthorized compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow and code explicitly fetch and ingest responses from arbitrary target URLs (e.g., SKILL.md curl examples like "https://target.example.com/page?name=..." and scripts/agent.py's send_payload/identify_engine/test* functions), treating untrusted public web responses as input and using those responses to drive detection, engine identification, and follow-up exploitation steps—so third-party content can directly influence subsequent tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs fetching and executing external code (tplmap) via the git URL https://github.com/epinna/tplmap.git (clone in prerequisites and later python3 tplmap.py ... usage), so this runtime-fetched repository is a required dependency that executes remote code.