WebAssessment
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection (Category 8). It fetches bug bounty program metadata from an external, non-trusted GitHub repository (arkadiyt/bounty-targets-data) and uses this data to generate instructions for a 'pentester agent' in BugBountyTool/src/recon.ts. \n
- Ingestion points: BugBountyTool/src/github.ts fetches JSON data via the GitHub API and raw content URLs. \n
- Boundary markers: The prompt generation logic in recon.ts lacks delimiters or instructions to ignore embedded commands within the program metadata. \n
- Capability inventory: The skill has access to powerful system tools and subprocess execution via WebappScripts/with_server.py and various pentesting workflows. \n
- Sanitization: External data (e.g., program names, URLs) is interpolated directly into agent-facing prompts without validation or escaping. \n- [COMMAND_EXECUTION] (LOW): The skill makes extensive use of local command execution to manage web servers and run security tools (e.g., nmap, ffuf, sqlmap). WebappScripts/with_server.py uses subprocess.Popen with shell=True to execute strings provided via CLI arguments. While this is consistent with the primary purpose of a security assessment skill, it represents a significant capability surface. \n- [EXTERNAL_DOWNLOADS] (LOW): The BugBountyTool automatically fetches updates from a third-party GitHub repository. Although the downloaded content is processed as JSON data rather than executable code, the source is not among the verified trusted organizations defined in the security policy.
Audit Metadata