coercing-authentication-with-coercer-petitpotam

Fail

Audited by Snyk on Jun 23, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill instructs the agent/user to pass plaintext credentials (e.g., -u and -p 'Passw0rd!') directly on command lines and to collect/use domain passwords and keys verbatim in commands and tools, which requires the LLM to handle/output secret values exactly and thus poses a high exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.90). Yes — several URLs point to offensive-security tooling on GitHub (Coercer, PetitPotam, Impacket, Certipy) and internal AD CS endpoints (e.g., CA.CORP.LOCAL/certsrv) that are legitimate research tools but are commonly used to coerce authentication, perform NTLM relay/ESC8 chains, and could be used to distribute or enable malware/domain compromise (the Apache, MITRE, NIST, and TheHacker.Recipes links are benign documentation).

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). This content explicitly documents and automates offensive techniques—RPC-based forced authentication (PetitPotam/Coercer) combined with NTLM relay (ESC8/LDAP relay) to obtain DC certificates, perform DCSync or RBCD, and thus enable full domain compromise—so it embodies deliberate malicious behavior despite an "authorized use" notice.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

E005
CRITICAL

Suspicious download URL detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 23, 2026, 07:04 AM
Issues
3
Security Audit — snyk — coercing-authentication-with-coercer-petitpotam