oss-bucket-exploit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit examples and workflow steps that embed credentials (SecretId, SecretKey, SessionToken) into CLI config and SDK code (e.g., coscli config init and Python snippets), which would cause an agent to solicit and/or output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive playbook providing step‑by‑step instructions for unauthorized data exfiltration, credential discovery/harvesting, changing ACLs/policies to gain full control, bucket takeover, and uploading webshells/supply‑chain payloads — clearly intended for abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to fetch and read arbitrary public object-storage URLs (e.g., curl "https://BUCKET.../?list-type=2", aws s3 sync, coscli cp and curl PUT/GET calls in Phase 3/6 and references/bucket-attack-methods.md), meaning the agent will ingest untrusted third-party content from public buckets and act on it as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes an installation command that downloads and installs a remote executable at runtime (wget https://cosbrowser.cloud.tencent.com/software/coscli/coscli-linux-amd64 → mv /usr/local/bin/coscli && chmod +x), which fetches and enables execution of remote code and is a required dependency for many COS operations in the skill.