bug-bounty

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.75). The URL set is mixed — many are legitimate security/docs resources (GitHub, PortSwigger, SecLists) but it also contains attacker-controlled domains, obfuscated/encoded hostnames, internal metadata endpoints, null-byte/redirect tricks and raw file URLs that are common vectors for hosting or delivering malicious payloads, so the overall collection should be treated as moderately-to-highly suspicious.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The document contains detailed, actionable exploitation techniques (credential exfiltration, GitHub Actions expression injection and untrusted checkout leading to RCE and secret theft, artifact/cache poisoning, self-hosted runner persistence, SSRF→metadata exfiltration, supply-chain abuse and PoC payloads) that enable intentional backdoor installation, data exfiltration, and system compromise—clearly high-risk malicious capabilities rather than benign guidance.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs runtime fetching and ingestion of open/public third-party content (e.g., the Recon pipeline using waybackurls/gau/katana/httpx, JS/URL crawling, and "Read Disclosed Reports" via HackerOne GraphQL and public GitHub repos), so the agent would read and act on untrusted user-generated/public web content that could carry indirect prompt-injection instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill contains explicit, actionable post‑exploitation instructions (e.g., docker -v /:/host --privileged to chroot the host, adding SSH keys, modifying sudoers, dumping process memory) that instruct an agent how to gain persistent root access and modify host system files, i.e., to compromise the machine's state.