ssti-server-side-template-injection

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is a high-risk offensive exploit playbook: it contains explicit, engine-specific RCE chains, sandbox-bypass and obfuscation techniques (hex/base64), instructions to write webshells and spawn reverse shells, and direct guidance for credential and sensitive-data exfiltration (env, config files, ~/.aws/credentials) and OOB DNS/HTTP callbacks — all indicating deliberate malicious compromise and persistence intent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to send probes to remote web endpoints and ingest/interpret responses and error pages (e.g., SKILL.md §1 "DETECTION — POLYGLOT PROBE SEQUENCE", §11 SSTI→RCE flow and SCENARIOS.md examples) to fingerprint template engines and choose exploitation chains, which means it consumes untrusted public web content that directly drives next actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly contains RCE chains, commands to read sensitive local files (e.g., /etc/passwd, ~/.aws/credentials), and guidance to establish reverse shells/persistence, which enable executing arbitrary commands and compromising/modifying the host state.