grafana-exploit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs discovering and exfiltrating Grafana credentials (including default admin/admin, data-source credentials and API keys) and payloads to read config/db files, which would require the LLM to handle and potentially output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill contains explicit, actionable exploit code and payloads that enable unauthorized file reading (including /etc/passwd, /etc/shadow, Grafana config/db), credential theft, SSRF to cloud metadata, authenticated DuckDB-based arbitrary command execution, installation/loading of extensions and a reverse shell — i.e., clear intent and capabilities for data exfiltration, backdoor/RCE and system compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow and reference code (SKILL.md and references/*.md, e.g., references/path-traversal-cves.md and references/duckdb-rce.md) perform HTTP requests to arbitrary Grafana URLs (e.g., /public/plugins/..., /api/ds/query, /dashboard/snapshot/), ingesting and interpreting responses from untrusted third-party web endpoints to decide and drive exploitation actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly provides exploit payloads and instructions for unauthenticated file reads, authenticated DuckDB-based RCE (including installing shellfs and executing shell commands), and post-auth actions like credential/API key and user management—directly guiding modification and compromise of a machine's state.