Skills
skills/eyadkelleh/awesome-skills-security/security-webshells/Snyk

security-webshells

Fail

Audited by Snyk on Jun 13, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 1.00). Yes — the list includes repositories and pages (SecLists, Laudanum, pentestmonkey, Wordpress/other web‑shell projects and even an nc.exe binary) that directly host web shells, reverse shells, backdoors and executables: dual‑use code commonly used to deliver or run malware and therefore high risk unless used only in an authorized, isolated lab from trusted sources.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). This collection contains explicit web‑shells, backdoors and reverse shells (remote command execution, file upload/download, outbound TCP connections, credential harvesting and datasource decryption, proxy/tunneling tools, obfuscated payloads) — code clearly designed to enable unauthorized remote access and data exfiltration.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the skill content for high-entropy literal values that function as real credentials.

I found two definite secrets:

  • The 3DES key literal in references/Web-Shells/CFM/shell.cfm.html: generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj") This is a hardcoded symmetric key used to decrypt datasource passwords — a usable secret and high-entropy string.
  • The ColdFusion authentication GUID in references/Web-Shells/laudanum-1.0/cfm/shell.cfm: secretCode = "a208bddb1f68aa8a8641b65d93979740c82fb387" This is a 40‑hex SHA1-like value explicitly used as an authentication token in the code — a hardcoded credential.

Other candidate values I reviewed and explicitly ignored:

  • Password hashes in references/Web-Shells/laudanum-1.0/php/shell.php (SHA1 hex strings for sample users). These are stored password hashes (not immediate plaintext credentials). They are sensitive and could be cracked offline, but they do not directly act as an immediately usable plaintext credential in the code (the code compares hash(password) to the stored hash). Per the scanning rules I did not treat these as the primary high-confidence live credentials to flag.
  • IP addresses, example usernames, filenames, obvious placeholders, and simple strings (e.g., internal allowed IP lists, sample ports, "CHANGE THIS", etc.) — all ignored as non-secrets or documentation/configuration examples.

Conclusion: there are high-entropy, hardcoded secrets present (the 3DES key and the CF secretCode) and they should be treated as exposed credentials.

MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

  • Hidden Unicode characters detected (1 type(s) found)

Issues (4)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W021
MEDIUM

Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 13, 2026, 06:34 AM
Issues
4
Security Audit — snyk — security-webshells