performing-ssrf-vulnerability-exploitation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt directs the agent to fetch cloud metadata endpoints (e.g., AWS/GCP) that can return credentials and to analyze/generate a report on findings, which implies reading and potentially outputting secret values verbatim (AccessKeyId/SecretAccessKey).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill clearly implements deliberate SSRF exploitation techniques (probing cloud metadata endpoints for credentials, internal port scanning, file:// reads, bypasses and redirect/DNS-rebinding checks) that enable data exfiltration and internal network reconnaissance and are highly abuseable for credential theft and system compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill (SKILL.md and scripts/agent.py) explicitly sends requests to arbitrary/untrusted URLs (target_url+payloads, including public redirects like spoofed.burpcollaborator.net and other external/internal endpoints) and inspects resp.text/response_preview and status codes to mark findings and drive follow-up actions, so untrusted third‑party content is fetched and directly influences the agent's decisions.