SSH Penetration Testing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill contains examples that embed and print plaintext credentials and SSH key material verbatim (e.g., password strings, echoing an ssh-rsa key into authorized_keys, and printing username:password in Paramiko), so a model following it would need to output secrets verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). Yes — these URLs point to direct HTTP-accessible private SSH keys and a backup tarball (and a localhost tunnel endpoint), indicating exposed credentials/backups that are highly sensitive and could enable account takeover or distribution of malicious artifacts.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content contains explicit, actionable instructions for unauthorized access and abuse—credential brute-forcing, key harvesting and injection (adding authorized_keys), reverse shell callbacks and port forwarding for remote access/pivoting, data/credential exfiltration commands, and evasion techniques—indicating clear malicious/backdoor-capable intent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Phase 5 "Web-accessible keys" explicitly instructs using curl/wget (e.g., curl -s http://target.com/.ssh/id_rsa) to fetch arbitrary web-hosted content, meaning the agent would retrieve and act on untrusted third-party data that can directly change subsequent actions (e.g., use found keys to authenticate).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs actions that modify system state and introduce persistence on the host (e.g., appending SSH keys to ~/.ssh/authorized_keys, appending to /etc/proxychains.conf, creating reverse tunnels, reading/modifying SSH configs and checking sudo), which directly push the agent to change or compromise the machine it runs on.