performing-reconnaissance

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs credential gathering and to document "Credentials found" (including commands to search JS/repos for api/token/key/secret/password), which implies the agent will extract and output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is explicitly crafted to enable initial access and attack-surface compromise—containing clear instructions for credential harvesting (GitHub secrets, email harvesting, breach searching), phishing reconnaissance, active scanning/vulnerability discovery (nmap/masscan/sqlmap), and OPSEC/IDS-evasion techniques (VPN/proxy, decoy/fragmented scans, "don't leave obvious traces") which together constitute deliberate malicious enabling behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and ingest open/public third-party content (e.g., curl against crt.sh, Shodan/Censys searches, GitHub dorks, social media/LinkedIn/Twitter enumeration, and curling public S3/GCS/Azure blob URLs) and then use those results to drive follow-up scans and actions, which could allow indirect prompt injection from untrusted user-generated sources.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill explicitly instructs running privileged commands (e.g., multiple "sudo" usages for nmap, masscan, arp-scan) which pushes the agent to obtain/use elevated privileges and perform active actions from the host even though it doesn't request persistent system-file changes or account creation.