ai-infrastructure-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs retrieving tokens/credentials (e.g., reading Kubernetes service account tokens, JUPYTER_TOKEN, or printing environment variables) and shows embedding tokens directly into curl/Authorization headers and command outputs, which requires the LLM to handle and output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is explicitly a playbook for unauthorized compromise of AI/ML infrastructure—containing step‑by‑step RCE techniques (Jupyter kernel/terminals, Ray jobs, MLflow model poisoning), credential and cloud metadata exfiltration, reverse shells and backdoor creation, SSRF/model pull to attacker hosts, and supply‑chain injection guidance—i.e., deliberate malicious behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to fetch and parse responses from arbitrary target services (e.g., curl -s http://TARGET:8888/api, http://TARGET:5000/api/..., http://TARGET:8265/api/...), using those untrusted runtime responses (tokens, artifact locations, model prompts, etc.) to decide and execute follow-up actions like RCE or model registration, so it clearly consumes untrusted third‑party content that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill contains explicit runtime commands that instruct targets to fetch and install or load remote content that will execute code or control model behavior (e.g., Ray runtime_env pip: "http://ATTACKER/malicious-1.0.tar.gz" and Ollama pull: "http://ATTACKER_IP:8080/malicious"), which is a clear remote-code/control risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs discovery of services and multiple RCE techniques (creating kernels, executing shell commands, registering malicious models, submitting jobs, reading/writing sensitive files and tokens), which directly enables modifying and compromising the state of target machines and bypassing protections.