hackthebox

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The workflow explicitly instructs the agent to "Get Credentials" by running an env-reader that fetches secrets (HTB_USER, HTB_PASS, HTB_TOKEN, ANTHROPIC_API_KEY, SLACK_BOT_TOKEN, etc.), which means the LLM/agent will obtain raw secret values that could be included verbatim in commands or outputs (exfiltration risk).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill content contains extensive, actionable offensive guidance (Cloudflare evasion, automated headed browsers, SSRF→gopher/HTTP2 bridging, crafted PDF/JS exploits, C2 decryption and key-recovery, credential capture/cracking, remote code execution patterns, orchestration of automated agents and API-based flag/credential handling) that enables data exfiltration, credential theft, backdoor/RCE deployment and stealthy abuse—highly dangerous if used outside an authorized CTF/test environment.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to navigate to and read HTB challenge pages and download challenge files from the public HackTheBox site (see SKILL.md step 4 "Login hackthebox.com", platform-navigation.md's "Navigate to challenge page / read description / download challenge files", and coordinator-spawn.md which tells coordinators to "read source code" and pass challenge URLs), meaning the agent consumes public, user-generated third‑party content that will be interpreted to decide next actions (spawn/exploit/submit) and thus could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill documentation explicitly instructs fetching and executing remote code during runtime (e.g., "git clone https://github.com/worawit/blutter" then running python3 blutter.py — similar instructions appear for https://github.com/rscloura/Doldrums and https://github.com/Impact-I/reFlutter), which pulls third‑party code that would be executed and thus can directly control behavior or run arbitrary code.