exploit-lfi

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs reading sensitive files (e.g., .env, /etc/shadow) and includes examples that echo/store retrieved file contents (including passing --file-read on a CLI), which requires the agent to output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill contains explicit, actionable exploitation tooling and payloads (path traversal, php://filter, data/expect wrappers, log poisoning, /proc/self/environ, upload+temp-file techniques) designed to read sensitive files (passwords, SSH keys, app config) and achieve remote code execution — clearly enabling data exfiltration, credential theft and backdoor/RCE behavior and therefore is high-risk and easily abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill clearly issues HTTP requests to arbitrary target URLs and ingests/analyses the returned content as part of its core workflow (see SKILL.md curl/ffuf examples and the runtime code in scripts/lfi_detector.py, scripts/lfi_exploiter.py and scripts/lfi_bypass_tester.py which fetch responses from untrusted public web targets and use those responses to drive further actions), so untrusted third‑party content can indirectly inject instructions or change behavior.