performing-ssl-stripping-attack

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content provides step-by-step, actionable MITM/SSL‑stripping techniques (ARP/DNS spoofing, iptables redirects, Bettercap/sslstrip/mitmproxy usage) and explicit instructions to capture and search intercepted credentials, which are dual‑use but clearly enable deliberate credential theft and network downgrade attacks.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's runtime workflow (SKILL.md) and scripts/agent.py show the agent directly fetching and parsing public, untrusted web content—e.g., check_hsts_header/check_security_headers/check_mixed_content and check_redirect_chain use curl to retrieve HTTP headers and HTML, and check_hsts_preload queries the public hstspreload.org API—and those parsed results are used to determine ssl_strip_risk and drive assessment decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs running multiple sudo commands that modify system/network state (sysctl ip_forward, iptables rules) and to run ARP/DNS spoofing and MITM tools (bettercap, sslstrip) that require elevated privileges and change the machine's state.