rabbitmq-exploit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill embeds explicit credentials (guest/guest and its Base64 form) and directs using them in API calls/commands (e.g., Authorization header, erl -cookie, /api/users), which forces the LLM to include secret values verbatim in generated outputs.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content is a clearly intentional exploit toolkit: it documents and provides code/commands for credential abuse, creating backdoor accounts, stealing Erlang cookies, executing remote commands (RCE via Erlang/erl and Spring AMQP deserialization), and techniques to read/exfiltrate sensitive files and secrets (e.g., /etc/shadow, container cookie via Docker API), which constitute deliberate malicious/backdoor behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's scripts and workflows (e.g., references/detection-script.md and references/management-api.md) explicitly fetch and parse responses from arbitrary target HTTP endpoints like /api/overview, /api/users, /api/queues and network services (4369/epmd, 5672/AMQP), treating that untrusted third‑party content as input to make decisions and perform follow-up actions (enumeration, creating backdoor users, or exploiting RCE).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly instructs creating backdoor users via the management API, performing Erlang-cookie RCE (os:cmd), and other exploit actions that modify service/system state and enable remote code execution, so it pushes the agent to compromise the host's state.