hunt-ssti

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The document explicitly provides ready-to-use SSTI RCE payloads (Jinja2/Twig/ERB), SSRF techniques to exfiltrate cloud credentials (AWS metadata), and guidance for remote code execution and exploitation chains, indicating high-risk malicious exploitation intent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill’s workflow is to test SSTI by injecting attacker-controlled free-text payloads (e.g., {{config.__class__.__init__.__globals__['os'].popen('id').read()}}) into user-supplied fields/parameters that the server reflects and renders, so the LLM context is fed outsider-authored template text at runtime via those injection inputs.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). This skill explicitly provides server‑side template injection (SSTI) RCE payloads that execute shell commands (e.g., running id, invoking os.popen, fetching instance metadata) and thus directly enable arbitrary command execution and full compromise of the machine where the template is rendered.