ssrf-server-side-request-forgery

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This playbook explicitly instructs fetching cloud and service-account credentials (metadata tokens, serviceaccount token files) and shows using them in request headers/commands, which requires handling and embedding secret values verbatim (high exfiltration risk).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicit offensive SSRF playbook containing concrete exploit payloads and step-by-step techniques (cloud metadata exfiltration including IMDSv1/v2 bypasses, gopher:// Redis/MySQL/FastCGI injection, crontab reverse-shell/webshell creation, Docker API abuse, DNS rebinding, and client-side exfiltration) that clearly enable credential theft, remote code execution, system compromise, and persistent backdoors.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and companion SCENARIOS.md explicitly instruct supplying and fetching arbitrary external URLs and services (e.g., Burp Collaborator / interact.sh, rbndr.us, attacker-controlled domains, URL shorteners and open redirects) so the agent will fetch and interpret untrusted third‑party content as part of its workflow, which can materially influence subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs exploiting SSRF to access cloud metadata, Docker API, Redis, and other internal services to create privileged containers, write files (e.g., webshells, cron jobs), and execute commands that modify the target host's filesystem and state, so it encourages compromising the machine's state.