criticalSkill·

AGS-2026-0021

xurl skill vulnerable to SSRF, allowing local file read and credential exfiltration via webhook

What Happened

A critical vulnerability has been discovered in the popular xurl skill (used by AI assistants to fetch web page content). The skill fails to properly sanitize input URLs and does not restrict HTTP redirects. Attackers can prompt the AI to fetch a malicious external link that redirects to internal network addresses (SSRF) or local file paths (using the file:// protocol). This allows the attacker to trick the AI into reading local configuration files and exfiltrating them to an external webhook.

Who's Affected

  • Users running xurl skill versions <= 1.3.0 locally via desktop AI clients.
  • Enterprise deployments using xurl in containerized environments without strict egress network policies.

Indicators of Compromise (IoCs)

  • Skill execution logs showing requests to internal IP ranges (e.g., 127.0.0.1, 169.254.169.254).
  • AI output stream generating base64-encoded strings appended to unknown webhook URLs.

How to Spot It

Monitor your network logs for unexpected outbound POST requests originating from the AI client's process. Check the local skill logs for attempts to access ~/.aws/credentials, ~/.ssh/id_rsa, or .env files.

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

Inspect paths

  • ~/.claude/skills
  • ~/.openclaw/*/skills
  • ~/.openclaw/workspace/skills
  • ~/.hermes/skills

Remediation: quarantine### Remediation Steps 1. **Uninstall / Disable**: Immediately disable or uninstall the `xurl` skill from your AI client's skill directory (e.g., `~/.claude/skills/xurl`). 2. **Rotate Tokens**: If you suspect the AI assistant processed malicious prompts while this skill was active, immediately rotate any local cloud provider tokens (AWS, GCP, Azure), GitHub PATs, or API keys stored in your home directory or environment variables. 3. **Network Isolation**: Ensure your AI client runs in a sandboxed environment with strict egress filtering. Block the AI process from accessing loopback addresses or cloud metadata APIs. 4. **Update**: Wait for the release of `xurl v1.3.1`, which implements an allowed-domain sandbox and completely disables the `file://` protocol handler.

References