waf-bypass-methodology

This fragment is instructional content enumerating WAF-evasion encodings for SQL injection/XSS payloads; it contains no executable logic, so there is no direct evidence of runtime malware (exfiltration, backdoors, credential theft) within the provided code snippet. However, the explicit, offensive-focused nature of the content makes it a notable security concern if it is included in a dependency in a way that could influence behavior or testing tooling. More context is needed to determine whether it is harmless documentation or part of active attack/abuse tooling.

该技能没有明显恶意安装链、凭证窃取或数据外传路径，但其核心用途是教 AI 代理识别并绕过 WAF，属于面向攻击/利用的安全技能。就 AI Agent Skill 场景而言，这种能力与正常开发辅助不相称，风险主要来自对外部目标的攻击性自动化，而非恶意软件行为。

No executable malware is present in this fragment; however, the content is explicitly offensive and designed to help bypass WAF/signature-based defenses using encoding/keyword-splitting/comment/whitespace manipulation and HTTP Content-Type switching. In a software supply-chain context, inclusion of such exploitation-enabling instructions is a high-risk signal and warrants deeper review of the containing package for any accompanying executable behavior.