cicd-pipeline-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs actors to extract secrets (e.g., dumping env, echoing toJson(secrets), writing secrets to artifacts/issues) and to exfiltrate them, which requires including secret values verbatim in commands/outputs.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicit offensive playbook that deliberately describes techniques to compromise CI/CD systems—including direct/indirect pipeline poisoning, RCE (Jenkins/Terraform/Atlantis/GitHub Actions), secrets and cloud credential exfiltration (OIDC/AWS/GCP tokens), artifact/cache poisoning, supply‑chain/package tampering, and persistence/backdoor methods—clearly intended to enable malicious operations and abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow explicitly directs cloning and inspecting public repositories and CI config and warns that untrusted, user-generated inputs (PR/issue/comment titles/bodies, uploaded artifacts, external URLs) — see SKILL.md Phase 2 (Context Script Injection) and references/github-actions-abuse.md sections 2 and 9 — are to be read/interpreted and can alter execution (e.g., injecting shell commands or LLM prompts), exposing the agent to indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). Flagged because the prompt gives actionable, high‑privilege techniques (e.g., dumping /proc//mem or using gcore, abusing Docker API/metadata service, Jenkins Groovy RCE, container escape and credential exfiltration) that instruct an agent how to access or modify sensitive system state and obtain elevated privileges on the host.