ad-acl-abuse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes numerous CLI and tool examples that embed plaintext credentials and secrets directly (e.g., DOMAIN/user:pass, -U 'user%pass', -p pass, -pfx-pass PASS, FakeP@ss), which requires the LLM/agent to place secret values verbatim into commands and outputs, creating a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This is an explicit offensive playbook: it provides step‑by‑step, actionable instructions and tool commands to enumerate and abuse AD ACLs for credential theft (DCSync/secretsdump, LAPS, NT hashes), privilege escalation to Domain Admins (WriteDACL/WriteOwner/GenericAll chains, RBCD, Shadow Credentials), remote code execution and persistence (GPO abuse, creating machine accounts, adding group members), and OPSEC/cleanup guidance — i.e., clearly malicious and intended for abuse.