File Path Traversal Testing
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill's description and metadata instruct the agent to perform actions that bypass safety guidelines, specifically framing exploitation and unauthorized file access as a 'testing' methodology.
- [DATA_EXFILTRATION]: Detailed methodologies are included for targeting and extracting highly sensitive information, including system password hashes (/etc/shadow), root SSH private keys, and the Windows SAM database, as well as configuration files like .env which frequently contain credentials.
- [REMOTE_CODE_EXECUTION]: The skill provides step-by-step instructions for escalating Local File Inclusion (LFI) to RCE via log poisoning techniques and the use of PHP stream wrappers (php://input, data://, expect://) to execute arbitrary commands on the target host.
- [COMMAND_EXECUTION]: The workflow includes ready-to-use command-line instructions for external security tools such as curl, ffuf, and wfuzz to automate the discovery and exploitation of directory traversal vulnerabilities.
- [CREDENTIALS_UNSAFE]: The skill explicitly targets file paths designed to store secrets and credentials, such as wp-config.php and SSH keys, providing specific payloads to retrieve these secrets from the filesystem.
Recommendations
- AI detected serious security threats
Audit Metadata