race-condition-methodology

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt shows curl commands that embed a session cookie header (Cookie: session=xxx), which instructs placing session tokens/credentials directly into command-line requests and would require the agent to insert secret values verbatim (high exfiltration risk).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is explicitly malicious: it gives step-by-step attack techniques and runnable scripts to exploit TOCTOU/race conditions for double-spending and unauthorized actions and includes an upload-and-access webshell () enabling remote code execution and data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow and referenced scripts (SKILL.md and references/race-scripts.md) explicitly instruct sending HTTP requests to arbitrary targets (e.g., http://target/...) and reading/acting on responses (r.text checks for "FLAG"), so untrusted third-party content from those targets is ingested and can materially influence the agent's actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly targets "余额消费/转账" (balance consumption/transfer) scenarios and includes a concrete example that sends transaction requests to an /api/transfer endpoint (curl loop with POST data amount=100&to=attacker). This is not merely generic automation — it demonstrates sending financial transfer transactions and how to exploit them (double-spend). Under the decision logic ("Send Transaction" → flag), this constitutes direct financial execution capability.