performing-directory-traversal-testing

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High-risk dual-use content: although framed for authorized testing, the guide and script provide explicit, actionable instructions and payloads for reading sensitive files (credential/private key exfiltration) and escalating Local File Inclusion to remote code execution (log poisoning, PHP wrappers), which can be directly abused for unauthorized compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow and code (SKILL.md curl examples and scripts/agent.py) explicitly fetch and parse arbitrary HTTP responses from target URLs and use their contents to decide vulnerabilities and follow-up actions (e.g., LFI -> RCE steps), exposing the agent to untrusted third‑party content that could influence behavior.