oa-system-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt embeds plaintext default passwords and instructs trying them and collecting internal credentials, which requires the agent to include secret/password values verbatim in commands or outputs, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content is an explicit offensive playbook instructing how to gain unauthorized admin access, upload webshells, achieve remote code execution, exfiltrate credentials/configs, and pivot in internal networks—demonstrating clear, intentional malicious/backdoor behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md and referenced files explicitly instruct the agent to fetch and parse responses from arbitrary TARGET URLs (e.g., curl to http://TARGET/... and steps that read returned SessionIDs, filenames, DB configs and web pages in references/oa-exploits.md), and to use those untrusted third-party responses to decide next exploitation actions, so third-party content can materially influence behavior.