redteam

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). Although framed as authorized red-team guidance, the content includes explicit exploit proofs-of-concept (e.g., SQLi payload), instructions for credential theft and exfiltration (SSRF to metadata service, data exfiltration techniques), and references to C2/post‑exploitation tools and persistence/backdoor methods that are high-risk and readily reusable for malicious abuse if used without authorization.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's reconnaissance workflow and included script (scripts/recon.sh) explicitly instructs collecting OSINT from public, untrusted sources — e.g., search engine results, crt.sh/certificate transparency logs, social media, GitHub and arbitrary target URLs/domains — and the agent is expected to read and act on those findings to plan follow-up actions, creating a clear avenue for indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The skill explicitly guides offensive actions like "privilege escalation" and "persistence (backdoors, scheduled tasks)" which can encourage modifying a machine's state (e.g., adding persistence or escalated access), even though it doesn't explicitly instruct obtaining sudo, editing system service/SSH files, or creating user accounts on the host.