exploit-lfi

The module functions as a reporting/persistence CLI for LFI findings and does not contain explicit malicious logic in the visible code. The primary security concerns are (1) runtime sys.path manipulation that can alter which StorageAPI implementation is imported (integrity/supply-chain risk if the referenced directory is writable or replaceable), and (2) forwarding optional --file-read content to StorageAPI, which can become a sensitive-data persistence/exfiltration vector depending on how StorageAPI stores/transmits data. Review StorageAPI implementation for safe storage (e.g., parameterized queries, secure transport, and correct handling/redaction of sensitive file contents) and ensure the sys.path target is trusted and integrity-protected.

This module is an active LFI/path traversal bypass testing/exploitation utility. It constructs and sends attacker-controlled traversal payloads to a user-specified URL parameter, inspects HTTP responses for sensitive-file inclusion indicators, and prints response previews that may contain confidential data if the target is vulnerable. There is no clear evidence of stealth/persistence/backdoor behavior in the shown code, but it substantially enables offensive exploitation and sensitive data disclosure, making it a high-risk supply-chain inclusion unless the containing project is explicitly and safely scoped for security testing.

该 Skill 不是普通开发/运维辅助，而是面向 AI 代理的漏洞利用与数据窃取工具。安装链本身大体来自官方来源，但能力范围与数据目标高度攻击性，包含批量探测、敏感文件读取和RCE步骤，整体应判定为高风险、可疑且不适合作为常规代理技能。

This module is an active LFI/path traversal and PHP wrapper probing tool. It takes untrusted operator inputs, injects exploitation-oriented payloads into user-selected request parameters, sends them over the network, and determines success via response content matching. No clear stealthy malware behaviors (persistence, exfiltration, shell execution) are present in the shown fragment, but the offensive capability makes it high security risk if included or executed in unintended contexts as a dependency.

This package artifact is not malicious code in itself, but it is an explicitly offensive, highly actionable LFI/WAF bypass and chaining playbook. In a software supply-chain context, distributing such material is a meaningful security risk because it can directly aid attackers. There is no direct malware execution evidence within the provided fragment.

High confidence malicious/offensive behavior. The code is an LFI exploitation tool that crafts payloads to read sensitive files from a remote server, decodes wrapper-based output, probes /proc/self/environ, scans temp files, and includes log poisoning instructions leading to PHP command execution via system(). It also saves extracted data to local files.

This fragment is a highly weaponized exploitation guide that provides concrete, attacker-ready instructions and PHP system-execution payloads for achieving RCE via LFI, along with multiple mechanisms to steal secrets (logs, /proc/self/environ, temp files, uploaded polyglots, SSH keys, PHP sessions, and database files). While it is not a software module with runtime logic, its inclusion in a software supply chain would be strongly concerning because it directly enables compromise and data theft.