Skills
skills/hacktronai/skills/waf-bypass-hunter/Gen Agent Trust Hub

waf-bypass-hunter

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill provides a functional exploit payload for CVE-2025-55182, which leverages prototype pollution in Next.js to achieve RCE. It instructs the agent to execute code on the target system to read sensitive files (e.g., /flag.txt).
  • [COMMAND_EXECUTION] (HIGH): The skill includes instructions to use curl and python to send malicious payloads. The included RCE payload specifically uses child_process.execSync to run system commands.
  • [DYNAMIC_EXECUTION] (MEDIUM): The skill utilizes a local execution endpoint at http://localhost:8009/execute to run arbitrary code snippets. This mechanism allows for the dynamic execution of logic generated by the agent during the task.
  • [DATA_EXFILTRATION] (LOW): The primary objective involves accessing /flag.txt. While intended for the CTF scenario, this pattern involves reading local system files and returning the content to the agent/attacker.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:07 PM