Skip to main content

hunt-ssti

Detects server-side template injection vulnerabilities across various templating engines, enabling escalation to remote code execution.

Install this skill

or
33/100

Security score

The hunt-ssti skill was audited on May 29, 2026 and we found 7 security issues across 3 threat categories, including 1 critical. Review the findings below before installing.

Categories Tested

Security Issues

critical line 49

Direct command execution function call

SourceSKILL.md
49- **`hunt-file-upload`** — Office docs, SVGs, and email templates uploaded by the user are common SSTI surfaces (the server re-renders them). Chain primitive: upload a DOCX whose `word/document.xml` c
medium line 10

Template literal with variable interpolation in command context

SourceSKILL.md
10```
high line 46

Template literal with variable interpolation in command context

SourceSKILL.md
46- **`hunt-rce`** — SSTI is the easiest path to RCE on Python/Ruby/PHP/Java stacks because the template language already exposes the runtime. Chain primitive: Jinja2 `{{config.__class__.__init__.__glob
high line 49

Template literal with variable interpolation in command context

SourceSKILL.md
49- **`hunt-file-upload`** — Office docs, SVGs, and email templates uploaded by the user are common SSTI surfaces (the server re-renders them). Chain primitive: upload a DOCX whose `word/document.xml` c
low line 28

Access to .env file

SourceSKILL.md
28{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
medium line 50

Access to .env file

SourceSKILL.md
50- **`security-arsenal`** — Reach for the engine-specific escape payload tree: Jinja2 class-walker variants (`__subclasses__()[N]` index hunting), Twig `_self.env` registerUndefinedFilterCallback, Free
low line 48

External URL reference

SourceSKILL.md
48- **`hunt-ssrf`** — Template engines often expose URL fetchers/filters before they expose the runtime, giving you SSRF before RCE. Chain primitive: Twig `{{ include('http://169.254.169.254/latest/meta
Scanned on May 29, 2026
View Security Dashboard
Installation guide →
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
openclawbackendsecurity-engineerbackend-developerdata-analystdevelopmentdata analytics
AKasem1/claude-bug-bounty