penetration-tester
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The scripts (auth_test.py, recon_scan.py, sql_injection_test.py, vuln_scan.py, web_app_test.py, xss_test.py) make frequent use of
subprocess.runto call external security binaries likenmap,sqlmap,hydra, andgobuster. While list-based arguments are used to prevent shell injection, the skill provides a high-risk capability surface for an AI agent to perform unauthorized network attacks. - PROMPT_INJECTION (LOW): Several scripts, notably
generate_report.pyandweb_app_test.py, ingest external data from tool outputs (e.g., ZAP JSON reports) and interpolate this content into markdown reports without sanitization, creating an indirect injection surface. - Ingestion points:
ReportGenerator.load_findings(JSON) andWebAppTester.run_owasp_zap(viazap_report.json). - Boundary markers: None present; external data is processed directly.
- Capability inventory: Extensive subprocess execution, file system writes, and network tool orchestration.
- Sanitization: No escaping or validation is performed on the ingested vulnerability descriptions or findings before they are rendered into reports.
- EXTERNAL_DOWNLOADS (LOW): The skill documentation and internal error handlers encourage the installation of multiple third-party tools from various sources (e.g.,
pip install sublist3r,apt install hydra,sqlmap.org), which increases the overall attack surface and trust requirements. - COMMAND_EXECUTION (MEDIUM): In
vuln_scan.py, therun_openvas_scanfunction constructs an OMP XML command using f-strings inside a subprocess argument (f'X<create_task>...<target hosts="{target}"/>...'). A malicious target string could potentially perform XML injection to manipulate the OpenVAS task configuration.
Audit Metadata