Skills
skills/ajbcoding/claude-skill-eval/moai-security-ssrf/Gen Agent Trust Hub

moai-security-ssrf

Pass

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of fetching and processing external data.
  • Ingestion points: The skill ingests untrusted data via the proxy_url parameter in the Express middleware (examples.md) and the url parameter in the SSRFProtection class (SKILL.md).
  • Boundary markers: There are no boundary markers or delimiters used to separate external content from the agent's system instructions.
  • Capability inventory: The skill is granted Bash, WebFetch, and Write permissions, which could be leveraged if an attacker-controlled URL contains malicious instructions that the LLM follows.
  • Sanitization: The implementation focuses on SSRF validation (blocking private IPs and internal domains) but does not sanitize content to prevent instruction injection.
  • [COMMAND_EXECUTION]: The skill configuration in SKILL.md explicitly requests and is granted the Bash tool permission. While no malicious shell scripts are found in the distribution, the combination of shell access with the processing of untrusted web content represents a security risk surface.
  • [EXTERNAL_DOWNLOADS]: The skill depends on external software and services to function.
  • Dependencies: The META.json and code samples reference several Node.js packages including node-fetch, valid-url, axios, and ip.
  • Network API: The skill makes outbound network requests to api.context7.ai to retrieve threat intelligence and reputation data for URLs.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 1, 2026, 01:07 AM