python-web-debug

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs retrieving secrets (machine-id, MAC, Django SECRET_KEY, cookies/PIN) and then embedding those values verbatim into curl requests and forged sessions/commands, which requires the LLM to handle and output secret values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is explicit offensive guidance for achieving remote code execution, secret/credential exfiltration, and system compromise by abusing Python web frameworks' debug modes (Werkzeug/Django/FastAPI/Tornado), including step-by-step PIN calculation, file reads (machine-id, MAC, /etc/passwd), SSRF/LFI techniques, and command execution — clearly malicious and intended for exploitation.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs fetching and parsing untrusted public web pages and endpoints from targets (e.g., curl http://TARGET/console, http://TARGET/openapi.json, error pages and SSRF/LFI-read URLs) and then using extracted data (PIN, SECRET_KEY, OpenAPI paths, file contents) to drive exploit actions, so it clearly ingests third-party user-controlled content that can influence subsequent tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly issues runtime requests to the Werkzeug debugger endpoint (e.g. http://TARGET/console and its debugger query endpoints) and SSRF file:// URLs to extract secrets/PINs and then execute arbitrary Python commands on the remote host, so the listed URLs are used at runtime to execute remote code.