ntlm-relay-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly demonstrates and encourages embedding plaintext credentials (e.g., -u USER -p PASS and DOMAIN/USER:PASS@HOST) into command-line tools and URLs, which requires the agent to include secret values verbatim and is high-risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive playbook detailing NTLM relay, credential capture/exfiltration, coerced authentication, remote code execution, ADCS abuse to obtain domain controller certificates and DCSync — i.e., step-by-step guidance for credential theft, lateral movement and full domain compromise, and is therefore clearly malicious.