expression-language-injection

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). Contains explicit, actionable exploit instructions and payloads enabling remote code execution, sandbox/blacklist bypass, and data exfiltration (SpEL/OGNL/Java EL Runtime.exec, ProcessBuilder, actuator route injection, OgnlUtil clearing, Struts2/Confluence CVE abuse), indicating deliberate malicious intent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to send HTTP requests to third‑party targets (e.g., POST /actuator/gateway/routes, GET /hackpath, POST /pages/createpage-entervariables.action) and to read/interpret response bodies and headers (checking for "9" or command output) as part of the detection/exploitation workflow, which clearly ingests untrusted, user-controlled web content that can drive further actions.