performing-blind-ssrf-exploitation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs retrieving and exfiltrating cloud metadata and IAM credentials (and uses Authorization header examples), so an agent following it would be expected to handle and likely output secret values verbatim for reporting or exfiltration—posing a direct secret-exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). These URLs are highly suspicious because they are attacker-controlled, internal/cloud metadata endpoints, IP/URL obfuscations and redirect patterns used in SSRF/exfiltration workflows — enabling credential theft, internal service access, or fetch-and-execute of malicious payloads.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content contains explicit, actionable instructions for exploiting blind SSRF to perform internal network enumeration, access cloud metadata (stealing IAM credentials), exfiltrate data via DNS/OOB callbacks, interact with internal services (gopher/Redis/Elasticsearch), and trigger remote code execution (e.g., Shellshock and crafted payloads), indicating deliberate malicious intent and high abuse potential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly issues HTTP requests to user-supplied targets (see scripts/agent.py: run_scan and analyze_results performing requests.get on the provided target and target/api/v1/results) and the SKILL.md shows workflows that fetch arbitrary external URLs (curl examples using collaborator/interact.sh domains), so untrusted third‑party content is ingested and parsed and can materially alter findings and risk decisions.