enterprise-vpn-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs retrieving plaintext credentials and session tokens (e.g., Fortinet CVE file reads that return "username / password" and session tokens, SAML/session token extraction, and later chains that reuse LDAP bind or VPN credentials), which would require the agent to handle and output secret values verbatim to perform or report the attacks.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This is a highly actionable offensive playbook containing explicit PoCs and commands for pre-auth RCE, path traversal/file-read, credential harvesting, web-shell deployment and lateral pivoting—clearly enabling unauthorized data exfiltration, credential theft, and full system compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to fetch and parse live public endpoints (e.g., SAML metadata at https://target/+CSCOE+/saml/sp/metadata and many curl tests like /remote/fgt_lang, /vpn/../vpns/cfg/smb.conf) from arbitrary targets and to use those untrusted responses to decide follow-up actions and pivot to other skills, which exposes the agent to untrusted third-party content that could carry indirect prompt-injection.