cloud-penetration-testing
skills-sh:sickn33_antigravity-awesome-skills__cloud-penetration-testing
View sourceFirst Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
17
Score
0/100
Findings (17)
Detects cloud provider metadata endpoint URLs used for SSRF attacks
curl http://169.254.169.254Block requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.
Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.
Detects cloud provider metadata endpoint URLs used for SSRF attacks
http://metadata.google.internalBlock requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.
Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.
Detects cloud provider metadata endpoint URLs used for SSRF attacks
http://metadata.google.internalBlock requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.
Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.
Detects patterns of downloading and piping to shell execution
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install
# GCP CLI
curl https://sdk.cloud.google.com | bashDownload the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Detects downloading scripts piped directly to a shell interpreter
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install
# GCP CLI
curl https://sdk.cloud.google.com | bashDownload the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects cloud provider metadata endpoint URLs used for SSRF attacks
curl http://169.254.169.254Block requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.
Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.
Detects AWS Instance Metadata Service token requests
latest/meta-data/iamBlock requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.
Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.
Detects cloud provider token and credential endpoints
http://169.254.169.254/latest/meta-data/iam/security-credentials/Block access to cloud instance metadata services using IMDSv2 token requirements, network rules, or iptables. This is a critical vector for credential theft in cloud environments.
Likely FP if the match is in security documentation explaining how to protect against SSRF/IMDS attacks rather than code that accesses the metadata service.
Detects cloud provider metadata endpoint URLs used for SSRF attacks
curl http://169.254.169.254Block requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.
Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.
Detects AWS Instance Metadata Service token requests
X-aws-ec2-metadata-tokenBlock requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.
Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.
Detects cloud provider metadata endpoint URLs used for SSRF attacks
curl http://169.254.169.254Block requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.
Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.
Detects AWS Instance Metadata Service token requests
X-aws-ec2-metadata-tokenBlock requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.
Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.
Detects cloud provider metadata endpoint URLs used for SSRF attacks
http://metadata.google.internalBlock requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.
Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.
Detects cloud provider metadata endpoint URLs used for SSRF attacks
http://metadata.google.internalBlock requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.
Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.
Detects chained commands using shell operators with dangerous operations
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install
# GCP CLI
curl https://sdk.cloud.google.com | bashBreak chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects downloading binary, archive, or installer files from remote URLs
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zipVerify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.
Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.
Detects pip install of arbitrary packages that modify the host environment
pip install scPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.