deserialization-insecure

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds and instructs constructing exploits that include explicit secret-like values (e.g., Shiro AES keys, cookie payloads, and attacker tokens/URLs) that the agent would need to place verbatim into commands/requests, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content is an explicit offensive playbook containing ready-to-run gadget chains, payload-generation commands, hard-coded keys, and techniques (URLDNS callbacks, remote exec via Runtime.exec/os.system/child_process, phar exploits, Pickle/Unserialize abuse, ViewState forging, etc.) for achieving remote code execution, data exfiltration (DNS/callbacks, file reads like /etc/passwd), key leakage and other system compromise actions — it clearly describes intentional malicious activity and weaponizes deserialization vulnerabilities.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to read and interpret untrusted content from target HTTP request/response bodies, cookies, headers, and error messages (see "TRAFFIC FINGERPRINTING" and "DETECTION METHODOLOGY") and to use those findings to choose probes/gadget chains (e.g., URLDNS, ysoserial), so third-party content can materially influence actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy credentials. The document contains a list of known hard-coded Apache Shiro AES keys under "Known hard-coded keys (SHIRO-550 / CVE-2016-4437)". Those values are base64-encoded symmetric keys (e.g., kPH+bIxk5D2deZiIxcaaaA==, wGJlpLanyXlVB1LUUWolBg==, 4AvVhmFLUs0KTA3Kprsdag==, Z3VucwAAAAAAAAAAAAAAAA==). These are high-entropy literal secrets that can be used to forge or decrypt Shiro rememberMe cookies and therefore are actual, usable credentials — not placeholders or low-security examples.

No other high-entropy API keys, private keys (PEM blocks), or similar literal credentials appear in the document. Many other strings are placeholders, example tokens (e.g., TOKEN, ATTACKER, BURP_COLLAB), or command examples and were ignored per the rules.