performing-red-team-with-covenant

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires obtaining and using a Covenant JWT API token and implicitly involves embedding that token verbatim in API requests/commands (e.g., Authorization headers or generated launchers), which forces the LLM to handle secrets directly and risks exfiltration.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content automates Covenant C2 capabilities—creating listeners, generating launchers to deploy agents, executing remote tasks (PowerShell/Assembly/Mimikatz), and performing uploads/downloads and lateral movement—which intentionally enables backdoors, remote code execution, and credential/ data theft and is therefore high-risk and easily abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's script and SKILL.md explicitly require connecting to a user-supplied Covenant server URL and calling its REST API (e.g., /api/grunts, /grunttasks, /api/users/login) and ingesting grunt/task outputs and listener data from that external server, which is untrusted/user-generated content that can influence which grunts/tasks are executed and the agent's next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime API calls to a user-specified Covenant C2 server (e.g., https://10.0.0.5:7443) — including endpoints like /launchers/powershell and /grunts/{id}/interact — to fetch launcher payloads and issue tasks that directly provide/trigger remote code execution, and the agent requires that server to function.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly guides the agent to create listeners, generate launchers, deploy and manage grunts, and execute tasks on compromised hosts—actions that alter system state, enable persistence/breach security, and can require privileged modifications on the machine running the C2—so it should be flagged.