ssti-server-side-template-injection

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This playbook explicitly directs reading and exfiltration of sensitive files and environment variables (e.g., /proc/self/environ, application config, ~/.aws/credentials), which would require the agent to handle and likely output secret values verbatim when reporting results.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The document is an explicit attacker playbook for achieving server-side template injection leading to remote code execution, data exfiltration (including credentials), webshell deployment, persistence, and includes obfuscation and OOB exfil techniques—i.e., clearly malicious instruction set for compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). Yes — the SKILL.md and SCENARIOS.md explicitly instruct sending probes and reading HTTP responses from target web pages/endpoints (e.g., "DETECTION — POLYGLOT PROBE SEQUENCE" and SCENARIOS.md examples like GET /index.php?... and POST /actuator/...), so the agent ingests untrusted public website content whose responses directly determine follow-up actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly provides RCE payloads for multiple template engines and post‑RCE actions (reading /etc/*, ~/.aws/credentials, creating reverse shells/persistence), which instruct an agent to execute system commands and perform actions that compromise or modify the host state.