prototype-pollution-exploit

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicit offensive exploit guide: it provides concrete prototype-pollution payloads and automated scripts to achieve RCE, child_process/template-engine injection, environment manipulation (NODE_OPTIONS), and data exfiltration (curl/DNS/HTTP callbacks, stealing cookies/flags), demonstrating clear malicious intent and active abuse patterns.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and references explicitly instruct fetching and analyzing arbitrary public websites (e.g., using PPScan/ppmap with Puppeteer, curl to fetch target pages/package.json, and Python exploit code that posts payloads and reads responses) so the agent would ingest untrusted, user-controlled web content and use it to decide and drive further actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs cloning and running external repositories at runtime—e.g., "git clone https://github.com/nicedayzhu/PPScan.git" and "git clone https://github.com/nicedayzhu/ppmap.git"—which fetch remote code that will be executed locally and are presented as required tooling, so they constitute high-confidence runtime external dependencies that execute code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt contains explicit, actionable instructions and payloads for achieving server-side RCE (via child_process, NODE_OPTIONS, template engine gadgets, env/shell pollution) which enable arbitrary command execution and thus can fully compromise the host machine's state.