analyzing-cobalt-strike-beacon-configuration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The provided skill code and instructions explicitly extract and print raw beacon configuration fields (including "SETTING_PUBKEY" and referenced "encryption keys", watermarks, and other opaque C2 secrets), so an agent following it would output secret/credential values verbatim, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content explicitly targets Cobalt Strike beacons—providing XOR deobfuscation keys, TLV parsing, extraction of C2 domains/URIs, spawn-to/named-pipe details, and malleable C2 profile analysis—i.e., it documents and automates discovery and manipulation of a backdoor/C2 infrastructure and contains obfuscation/decoding techniques commonly used for malicious persistence and data-exfiltration channels.