performing-ssrf-vulnerability-exploitation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs probing metadata endpoints and notes confirming SSRF if responses contain AWS credentials (AccessKeyId, SecretAccessKey), which would require the agent to read and potentially include secret values verbatim in its report — an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill contains explicit, actionable tooling and payloads to retrieve cloud instance metadata and tokens, perform internal port scanning, and bypass SSRF filters—capabilities that directly enable credential theft and internal network reconnaissance for malicious use.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill (SKILL.md and scripts/agent.py) actively sends arbitrary URL payloads (see scripts/agent.py test_ssrf_payload and BYPASS_PAYLOADS including spoofed.burpcollaborator.net) and ingests/parses the target's HTTP responses for indicators to mark vulnerabilities, so untrusted third-party content can directly influence its decisions and workflow.