hunt-cloud-misconfig

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These URLs are suspicious because they include cloud metadata endpoints, S3/Firebase bucket patterns and placeholders, AWS RUM/dataplane endpoints and a known offensive toolkit (pacu) — all common vectors for credential theft, telemetry exfiltration, hosting/serving malicious payloads or delivering exploit tooling even though they aren't direct .exe links.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The document is an offensive playbook that explicitly instructs how to steal cloud credentials (EC2 metadata, Cognito identity pools), exfiltrate data covertly (using CloudWatch RUM telemetry), perform resource enumeration and abuse (aws CLI, pacu), and enable supply-chain/subdomain takeovers and persistent JS backdoors — all clear malicious/abusive behaviors.