hunt-rce

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). Yes — the list includes attacker-controlled direct-downloads of scripts and Java archives (e.g., attacker.com/x.sh, attacker.com/exploit.jar, attacker/shell, attacker/dtd), plus classic exploitation endpoints (webshell.php?cmd=…, cgi-bin traversal, Jenkins jnlpJars, IMDS metadata URL) which are strong indicators of malicious distribution and active exploitation vectors.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is high-risk offensive guidance: it gives step-by-step, actionable RCE exploitation techniques, explicit payloads for remote code execution, data exfiltration and credential theft, instructions for implanting backdoors and supply-chain compromises, and thus clearly enables malicious abuse.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt is a detailed, actionable RCE exploitation guide that directly instructs running shell/kubectl/java/curl commands, reading local secrets (e.g. /var/run/secrets, /etc/passwd), and writing/triggering cron/webshell payloads — all of which can exfiltrate credentials or be used to modify or commandeer the host or its credentials, so it encourages compromising the machine state.