ctf-misc

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user for their CTFd API token and to embed it verbatim in Authorization headers/commands (e.g., curl with Authorization: Token $CTF_TOKEN), which requires the LLM to handle and output secret values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content is high-risk: it documents many explicit, actionable techniques for remote code execution, credential exfiltration, privilege escalation, container/host escapes, and secret harvesting (BuildKit/Docker/Postgres/etc.), which are dual-use but readily abuseable for real-world attacks outside of CTF contexts.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and ctfd-navigation.md) explicitly instructs the agent to fetch and parse public third‑party web resources (e.g., curl against arbitrary CTFd URLs/APIs, downloading challenge files, and following external "breadcrumbs" like GitHub Gists/Pastebin links described in the Multi-Stage URL Encoding Chain), so untrusted user-generated content is ingested and used to determine subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt contains explicit, actionable privilege-escalation and host-compromise instructions (e.g., mounting / via docker and chroot, SUID exploitation, sudo wildcard injection, apt/brew installs) that direct an agent to obtain root and modify the machine state.