performing-phishing-simulation-with-gophish

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content is a legitimate phishing-simulation toolkit for authorized testing but includes explicit, actionable instructions and tooling for credential harvesting and detection evasion (e.g., enabling credential capture, cloning login pages, staggering sends, whitelisting, DNS for phishing domains, and referencing Evilginx2), which makes it highly abuseable for real-world phishing/credential theft even though the scripts themselves show no hidden backdoor, obfuscation, or external data-exfiltration endpoints.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs and implements importing/cloning arbitrary public webpages via GoPhish (see SKILL.md Step 4 "Clone legitimate login page", references/api-reference.md's /api/import/site, and scripts/process.py GoPhishClient.import_site which POSTS a provided URL), so the agent will fetch and ingest untrusted third‑party page content that can influence campaign creation and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup fetches and executes remote code required to run the agent (e.g., docker pull gophish/gophish and wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip followed by ./gophish), so those URLs are runtime external dependencies that deliver executable code the skill relies on.