The Agent Skills Directory

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The prompt repeatedly instructs extracting, exporting, and embedding AWS credentials and tokens verbatim into commands, scripts, and tool arguments (e.g., aws_consoler -a AKIA... -s SECRETKEY, export AWS_ACCESS_KEY_ID=ASIA..., metadata responses), which requires the model to handle and output secret values directly, creating high exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.90). The URLs collectively present a high security risk: they include cloud metadata endpoints and container credential paths used for credential theft via SSRF, S3 bucket patterns and public bucket indexes that can host or serve malicious payloads, and GitHub/repos for dual‑use offensive tools — all of which can be abused to distribute or deploy malware and enable further compromise.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 1.00). This skill content provides explicit, actionable instructions for credential theft, privilege escalation, persistence/backdooring (notably via Lambda and ECR), data exfiltration (metadata/SSRF, S3/EBS/RDS/DynamoDB access), and evasion/tampering of logging (CloudTrail/GuardDuty), indicating deliberate malicious/abusive behavior rather than benign guidance.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs fetching and acting on untrusted public content — e.g., git clone of public GitHub tools (https://github.com/RhinoSecurityLabs/pacu, https://github.com/andresriancho/enumerate-iam), using a public bucket search (https://buckets.grayhatwarfare.com/), and downloading Lambda code via the URL returned by aws lambda get-function — so the agent would ingest and act on third-party user-generated content that could carry injected instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs runtime fetch-and-run of external tooling (e.g., "git clone https://github.com/RhinoSecurityLabs/pacu") which pulls and runs remote code that the workflow relies on, so this URL is a runtime external dependency that executes remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs privileged local actions (e.g., using sudo to create/mount /mnt/stolen), and directs workflows that modify system state (mounting volumes, running tools that alter the host), so it encourages compromising the agent's host environment.

aws-penetration-testing