code-security-audit

SUSPICIOUS: the skill is coherent for its stated purpose, but that purpose gives an AI agent high-risk security-audit and pentest-adjacent capabilities over local codebases. Its footprint is mostly local and proportionate, with no external exfiltration or dubious install chain, so this is not malware-like; the main risk is enabling offensive analysis and reading sensitive project files.

This collection is a purposeful demonstration of common vulnerabilities (SQL injection, command injection, XSS, Log4Shell, CSRF, insecure file upload, gRPC reflection exposure). The code contains multiple direct source-to-sink paths that allow exploitation if deployed as-is. It does not appear to be covert malware; rather it is intentionally insecure sample code for testing/training. Treat these files as dangerous: run only in isolated, local lab environments and never deploy to production. Mitigations include parameterized queries, avoiding shell=True or quoting inputs, output escaping/sanitization, disabling gRPC reflection in production, updating Log4j and avoiding logging untrusted JNDI payloads, enforcing CSRF protections, and validating uploaded files.

This document is an extensive offensive POC and attack-playbook covering multiple high-impact web vulnerabilities and providing explicit exploit payloads and commands. It is not obfuscated and does not itself execute code, but it contains numerous ready-to-run exploit examples (webshells, reverse shells, deserialization payloads, SQLi/XXE/SSRF payloads). Malware probability is low because it’s instructional text rather than packaged malicious code, however the security risk is high because the content contains actionable steps that enable remote code execution, credential theft, persistent backdoors, and data exfiltration when applied to vulnerable systems. Treat the document as high-risk sensitive material: it should be restricted to authorized security testing contexts and never introduced into production code. Recommended actions: do not deploy any code snippets into production, use the remediation guidance to fix vulnerable endpoints, and restrict distribution of the POC to authorized defenders and testers.