patt-fetcher

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These are raw Markdown pages from a well-known public GitHub repo (PayloadsAllTheThings) — not direct binary downloads or typosquat domains — but they contain many exploit payloads, reverse shells, persistence/evasion techniques and commands that can be used to craft or deploy malware, so they are not outright malicious hosting but represent a meaningful operational risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill is high-risk: it intentionally fetches and returns exploit payloads (reverse shells, command injection, privilege escalation, persistence, evasion, etc.) from PayloadsAllTheThings for on-demand use, directly enabling remote code execution and system compromise even though it contains no obfuscated backdoor code or hidden eval/exfiltration routines itself.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly WebFetches raw files from PayloadsAllTheThings on GitHub (raw.githubusercontent.com URLs) and parses H2 sections to return user-generated payloads, meaning untrusted third-party content is ingested and can directly influence agent outputs and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill WebFetches raw GitHub URLs at runtime (e.g., https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/SQL%20Injection/README.md) and explicitly “bakes” the fetched payloads into executor prompts, so remote content can directly control agent instructions.