exploiting-template-injection-vulnerabilities

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that pass credentials directly in CLI headers (e.g., Cookie: session=abc123, Authorization: Bearer token) and instructs payloads to retrieve and report sensitive values like Flask SECRET_KEY, requiring the agent to output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content explicitly provides payloads, scripts, and automation to discover and exploit Server‑Side Template Injection (SSTI) for remote code execution, secret/key disclosure, file reads (e.g., /etc/passwd), and command execution across multiple template engines, representing intentional offensive capability and high-risk abuse potential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow and code explicitly fetch and ingest responses from arbitrary target URLs (e.g., SKILL.md curl examples like "https://target.example.com/page?name=..." and scripts/agent.py's send_payload/identify_engine/test* functions), treating untrusted public web responses as input and using those responses to drive detection, engine identification, and follow-up exploitation steps—so third-party content can directly influence subsequent tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs fetching and executing external code (tplmap) via the git URL https://github.com/epinna/tplmap.git (clone in prerequisites and later python3 tplmap.py ... usage), so this runtime-fetched repository is a required dependency that executes remote code.