lateral-movement

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs using discovered passwords, NTLM hashes, private keys, and tickets for lateral movement (PTH, PTT, SSH keys, RDP, etc.), which would require the agent to place those secret values verbatim into commands or tooling, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content explicitly documents and instructs on unauthorized lateral movement techniques—including credential theft (mimikatz, PTH/PTT), remote command execution (psexec/wmiexec/dcomexec/WinRM), pivoting (SSH tunnels/proxychains), and detection evasion—constituting deliberate malicious behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs credential-based lateral movement techniques that modify system state (e.g., PSExec creating services, running mimikatz PTT, changing file permissions with chmod 600) and guides actions that compromise local or remote machines.