The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides XML snippets that execute system commands, such as rt:exec for Java and Process.Start for .NET, allowing for terminal command execution on the target server.\n- [REMOTE_CODE_EXECUTION]: The documentation includes instructions for gaining remote code execution by exploiting XSLT processor features like PHP's php:function with the assert call or Java's extension functions to run arbitrary code.\n- [DATA_EXFILTRATION]: The methodology outlines how to use XSLT functions like document() to read sensitive files from the local filesystem (e.g., /etc/passwd) or perform server-side request forgery (SSRF) to interact with internal network resources.

xslt-injection