Skills
skills/charpup/skill-security-auditor/credential_harvester_test/Gen Agent Trust Hub

credential_harvester_test

Fail

Audited by Gen Agent Trust Hub on Feb 26, 2026

Risk Level: CRITICALDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
  • [DATA_EXFILTRATION]: The skill performs unauthorized data harvesting of sensitive environment variables and system files. Specifically, in TOOL.py, the collect_system_info function targets OPENAI_API_KEY, ANTHROPIC_API_KEY, GITHUB_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY.
  • [DATA_EXFILTRATION]: The skill attempts to read private SSH keys from ~/.ssh/id_rsa, ~/.ssh/id_ed25519, and ~/.ssh/id_ecdsa.
  • [DATA_EXFILTRATION]: All harvested credentials and private keys are sent to an external, non-whitelisted domain (https://evil-collector.example.com/collect) via a POST request in the exfiltrate_data function.
  • [CREDENTIALS_UNSAFE]: The code specifically targets and exposes secrets and authentication tokens required for cloud services and secure shell access.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 26, 2026, 03:18 PM