hunt-ssrf

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs fetching cloud metadata and other sensitive endpoints and shows payloads that read and exfiltrate instance tokens/credentials (e.g., metadata endpoints and JS/curl payloads that forward tokens to a callback), which requires collecting and transmitting secret values verbatim—an immediate exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The document is an explicit offensive SSRF exploitation playbook — it contains step-by-step instructions, payloads and bypasses to exfiltrate cloud metadata/credentials, perform blind OOB data exfiltration, pivot to internal services, and escalate to RCE (gopher→Redis, cron/authorized_keys), indicating clear malicious intent and high abuse potential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). The skill’s runtime workflow is explicitly about testing URL-fetching/preview/import/proxy endpoints by sending attacker-controlled url/uri/endpoint/... parameters to the victim and using an OOB listener (e.g., Burp Collaborator/interactsh/canarytokens) to detect callbacks; this means the agent will ingest outsider-authored free text from the OOB/callback channel (attacker-controlled DNS/HTTP logs) into the LLM context as evidence.