ntlm-relay-coercion

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples and commands that embed plaintext credentials (e.g., "P@ss123" and "-u user -p pass") and instruct adding/using passwords on the command line, which requires the agent to handle or output secret values verbatim and is therefore insecure.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive playbook that instructs how to coerce and capture NTLM authentication and relay it to achieve credential theft, privilege escalation, remote code execution, certificate theft, and domain compromise.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The playbook instructs running and configuring network MITM and relay tools (responder, mitm6, ntlmrelayx), editing /etc/responder/Responder.conf and performing DHCP/DNS manipulation — actions that modify the local system/network configuration and require elevated (sudo/root) privileges, so it urges changes to the host's state.