gcp-exploit

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a clear, actionable malicious playbook: it provides step‑by‑step techniques to discover and steal GCP credentials, escalate IAM privileges, perform GKE/container escape and lateral movement, exfiltrate tokens/data to attacker-controlled endpoints, and establish persistent backdoors—i.e., deliberate attack and persistence instructions rather than benign guidance.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs fetching and parsing external public resources—e.g., curl against https://storage.googleapis.com/BUCKET_NAME, calls to public Google APIs (secretmanager.googleapis.com), and git clone https://github.com/...—so untrusted third‑party content could be read and materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs at runtime to git clone and run scripts from https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation.git (pip install and python commands), which fetches remote code that is then executed, meeting the criteria for a risky external dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly instructs credential theft, filesystem searches for secret JSON keys, creating service-account keys and files (e.g., /tmp/key.json, backdoor.json), and running gcloud commands that modify local gcloud auth/state and create persistent backdoors — actions that would compromise the host and its state.