cobalt-strike

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill contains explicit commands that require embedding secrets verbatim (e.g., ./teamserver , spawnas/runas <domain\user> , pth <domain\user> <ntlm_hash>), so an LLM would need to handle and output sensitive credentials directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). 该内容是明确的 Cobalt Strike 攻击操作与自动化脚本指南，详述了建立反向 C2/后门（TeamServer/Listener/重定向器）、远程命令执行与进程注入、凭据窃取（Mimikatz/logonpasswords/DCSync/黄金票据）、键盘记录/截屏、横向移动（psexec/wmi/winrm/SSH pivot）、权限提升、持久化与数据外传（Webhook、重定向器、伪装 Malleable C2）等一整套可直接用于入侵、维持访问、横向扩散和窃密的滥用技术，具备明显恶意用途与高风险。

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). Yes — the prompt is an explicit operational guide for deploying Cobalt Strike (starting TeamServer, running socat on privileged ports, creating listeners/services, uploading/executing payloads and performing privilege escalation), all of which instruct running network services and modifying system state (and in places require elevated privileges) so it pushes an agent to compromise the host