exploit-file-download

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly demonstrates reading sensitive files (e.g., /etc/shadow, .env, config.php) and even shows passing file contents verbatim on the command line (e.g., --file-read "root:x:0:0:..."), which requires the LLM to handle and output secret data directly, an insecure pattern.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These URLs are high-risk: the majority are LFI/path-traversal exploit payloads (used to read sensitive files or achieve RCE) and the list also includes a direct raw .sh install link and git clone commands — any raw scripts or cloned repos executed without verification could deliver malware or enable attacks.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill explicitly documents and automates techniques to discover and exploit LFI/path-traversal vulnerabilities (including payloads, WAF bypasses, and automation) to read sensitive files (SSH keys, /etc/shadow, cloud credentials, service tokens), perform log‑poisoning to achieve remote code execution, and evade detection—facilitating deliberate data exfiltration, credential theft, and system compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly instructs the agent to fetch and analyze arbitrary, user-supplied public URLs (see SKILL.md curl/ffuf examples) and contains scripts (scripts/file_download_tester.py) that use requests to retrieve and parse remote responses for vulnerability detection, so untrusted third‑party content is ingested and can influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's required tool installation includes "go install github.com/ffuf/ffuf@latest", which fetches and builds/executes remote code from https://github.com/ffuf/ffuf (a runtime installation step for a required dependency), so it introduces execution of external code.