prototype-pollution-exploit
Warn
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes numerous shell commands and a comprehensive Python automation script (
references/server-side-rce.md) that executes network requests and demonstrates how to trigger system commands on a target server. - [REMOTE_CODE_EXECUTION]: Extensive documentation and payload examples are provided for achieving RCE via several Node.js template engines (EJS, Pug, Handlebars) and the
child_processmodule. These payloads are specifically designed to execute arbitrary code on the target environment. - [EXTERNAL_DOWNLOADS]: The skill references and provides installation instructions for several third-party security tools hosted on GitHub, such as
ppmapandPPScan, which involves downloading and executing external code. - [DATA_EXFILTRATION]: Instructions and script functions (e.g.,
exfil_via_oobinreferences/server-side-rce.md) demonstrate how to read sensitive files like/flagand exfiltrate the content to an attacker-controlled server using HTTP requests.
Audit Metadata