expression-language-injection

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive exploit playbook: it provides ready-to-run RCE payloads (Runtime.exec/ProcessBuilder), sandbox- and blacklist-bypass techniques, instruction to create a persistent backdoor via Spring Cloud Gateway actuator routes, and methods to capture/exfiltrate command output—clear deliberate malicious intent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md detection workflow (Section 5 and examples such as sending ${7*7} probes and interacting with HTTP endpoints like Confluence action pages and /actuator/gateway) explicitly requires issuing requests and reading untrusted web application responses to determine engine type and drive follow-up exploit actions, so it ingests third-party content that can materially influence behavior.