security-arsenal

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The URL set is suspicious because it mixes clearly attacker-controlled domains (attacker.com, evil.com, attacker.burpcollaborator.net), a typosquatted host (target.com.evil.com), redirectors to cloud metadata/internal IPs and many internal service endpoints (169.254.169.254, localhost variants) commonly abused for SSRF/exfiltration — all high-risk indicators for malware distribution or credential/data theft (the lone GitHub repo is the only benign-looking item).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is a ready-to-use offensive payload library containing explicit data-exfiltration and credential-theft payloads (cookie theft scripts, SSRF to cloud metadata endpoints, XXE/XXE-OOB pointing to attacker domains), remote-code-execution/backdoor primitives (SSTI/Jinja2/Twig/EJS payloads, eval/constructor/new Function usage, command-injection examples that call attacker hosts), WebSocket hijacking exfil patterns, and numerous bypass/obfuscation techniques — collectively showing clear, deliberate malicious capability and intent.