testing-for-xxe-injection-vulnerabilities

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). Yes — the list includes attacker-controlled/OOB domains (abc123.oast.fun, attacker.example.com), an unvetted GitHub repo distributing an XXE exploit tool, and direct links to external DTDs/callback endpoints and internal metadata/localhost targets, which are strong indicators of malicious/exploit distribution and high-risk payload delivery.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content explicitly contains offensive XXE exploitation techniques and automation to read local files, exfiltrate data to attacker-controlled domains (external DTDs, OOB HTTP/DNS, FTP), perform SSRF against cloud metadata (credential theft), and even DoS via entity expansion—functionality that is intended for and can be readily abused for unauthorized data exfiltration and system compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's agent (scripts/agent.py) actively sends requests to arbitrary base_url endpoints (see detect_xml_endpoints and test_xxe_payloads), ingests and interprets the returned resp.text/status codes from untrusted targets as part of its workflow to decide and record findings, so third-party responses can materially influence behavior.