ssrf-server-side-request-forgery

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This playbook explicitly instructs crafting requests to cloud metadata endpoints and shows including a metadata token/header (e.g., X-aws-ec2-metadata-token: TOKEN) and exfiltrating IAM/meta-data secrets, which implies the agent would need to handle and embed secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a clearly malicious SSRF attack playbook: it explicitly instructs how to steal cloud metadata and service credentials, exfiltrate data to attacker-controlled hosts, achieve remote code execution (reverse shells, cron-based persistence), and abuse protocols (gopher/redis/file) and encoding/obfuscation techniques to bypass filters.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md playbook explicitly instructs using and interpreting responses from public, attacker-controlled URLs and services (e.g., supplying a Burp Collaborator / interact.sh callback URL, using attacker.com redirects and rbndr.us DNS-rebinding, and GitHub tooling) as part of the SSRF testing workflow, so untrusted third-party content is fetched and can materially influence subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The playbook contains explicit, actionable instructions to exploit SSRF for state-changing attacks on the target host (create privileged Docker containers, write cronjobs/webshells via Redis, modify files via gopher/file schemes, etc.), which would directly compromise the machine the agent is running on.