business-logic-vulnerabilities

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicitly offensive exploitation playbook (not a defensive checklist) that provides step‑by‑step techniques—race conditions, price/negative/overflow tampering, captcha/OCR bypass, predictable/reset token abuse, session replacement, notify_url/callback tampering and payment callback forgery—that enable fraud, credential takeover, payment exfiltration, and privilege escalation.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly targets and details exploitation of financial workflows and endpoints. It includes concrete payment-related operations and examples such as POST /api/withdraw_funds, manipulating payment_status to mark orders as "paid", transaction_id reuse for checkout, refund/status PUTs, payment parameter tampering (price, discount, currency, gateway, return_url), double-spend/double-redeem of balances/gift cards, and techniques to generate negative balances or reverse bank transfers. These are specific, finance-focused attack techniques against payment, withdrawal, and transaction APIs (not generic browser or HTTP tooling), so it constitutes direct financial execution capability.