The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill provides powerful auditing capabilities that can be directed at arbitrary URLs or file paths. An attacker could use indirect prompt injection (e.g., instructions hidden in a website's metadata or a code comment) to trick the agent into running security scans against internal infrastructure or sensitive files.
Ingestion points: target_url parameter in dast_scan.py and path parameters in sast_scan.py, audit_dependencies.py, and detect_secrets.py.
Boundary markers: Absent. The skill does not implement delimiters or system-level instructions to ignore embedded commands in the data it processes.
Capability inventory: Executes multiple security tools via subprocess.run, including zap-cli, nikto, sqlmap, semgrep, codeql, bandit, and safety.
Sanitization: dast_scan.py performs a basic check to ensure URLs start with http:// or https://, but lacks deep validation of targets (e.g., blocking internal IP ranges).
Command Execution (SAFE): The skill frequently executes external binaries to perform its auditing functions. All subprocess calls are implemented using list-based arguments rather than shell strings, effectively mitigating the risk of command injection through the script inputs. This behavior is consistent with the skill's primary purpose of security auditing.

security-auditor