http2-specific-attacks

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The playbook includes and recommends embedding Authorization headers and other credentials directly in command-line examples (e.g., -H "Authorization: Bearer token123"), which encourages placing secret values verbatim into generated commands/requests, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicit attack playbook: it instructs how to bypass access controls and WAFs (h2c smuggling, pseudo-header manipulation), perform data-leakage techniques (HPACK compression/table poisoning), carry out request-smuggling and downgrade header injection, and launch DoS/cache-poisoning attacks—clearly intended for malicious exploitation rather than benign diagnostics.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and interpret live responses from arbitrary external sites (e.g., the curl h2c probe in Section 2.5 and the Quick Reference, and the h2 client examples that connect to https://target.com), so untrusted third‑party responses would be read and could change subsequent actions in the decision tree.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes explicit runtime instructions to fetch and execute external code (e.g., "git clone https://github.com/BishopFox/h2csmuggler" followed by "python3 h2csmuggler.py") which causes remote content to be executed and is presented as a required tool, so this URL is a high-confidence risky dependency.