portainer-exploit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs obtaining and using authentication (default/weak credentials and JWT tokens) to make API requests and exploit workflows, which implies embedding secrets (passwords/tokens) verbatim into commands or requests and thus creates an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is clearly malicious: it provides step-by-step exploit tooling and scripts to achieve unauthorized RCE and host compromise via Portainer (SSRF/CRLF exploit, JWT brute/enum), includes actions to exfiltrate credentials (/etc/shadow, JWTs), mount the host filesystem, and establish persistent backdoors (inject SSH keys, create sudo NOPASSWD users), which are intentional attack behaviors.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow and reference scripts (SKILL.md and references/*.md) explicitly direct the agent to fetch and interpret responses from arbitrary target URLs (e.g., requests to /api/status, /api/auth, /api/endpoints and websocket paths like /websocket/exec) and then base enumeration, authentication, and exploitation decisions on that untrusted, third-party content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs creating privileged containers that bind-mount the host root and chroot into /host to execute commands (and includes API calls to create/start containers), which are direct, high-risk steps to modify the host system and achieve RCE—so it clearly pushes the agent to compromise machine state.