Red Team Tools and Methodology
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill provides a custom shell script (
recon.sh) and numerous bash commands that execute directly on the host system. The bash script is vulnerable to command injection because the$domainvariable is used without any sanitization, allowing an attacker to execute arbitrary commands by supplying a malicious domain string. - Evidence: Section 10 contains a bash script that takes a positional parameter
$1and interpolates it intomkdir,subfinder, andhttpxcommands. - [PROMPT_INJECTION] (HIGH): The skill has an extensive attack surface for Indirect Prompt Injection (Category 8) due to its core function of processing untrusted data from external web sources.
- Ingestion points: Data is ingested from the live web via
curl,waybackurls,gau,httpx, andnucleivulnerability scans. - Boundary markers: None. The skill does not use delimiters or instructions to ignore embedded commands in the data it retrieves.
- Capability inventory: The skill possesses high-impact capabilities including file system modification (
mkdir), network requests (curl,ffuf), and the ability to execute security tools that can be repurposed for malicious use. - Sanitization: None. The skill retrieves raw HTML, headers, and historical URL data and presents it to the agent for analysis without filtering or escaping.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The methodology relies on numerous external third-party tools (Amass, Subfinder, Nuclei, Dalfox) which are not explicitly versioned or verified within the skill, increasing the risk of supply chain attacks if the agent is instructed to install them.
Recommendations
- AI detected serious security threats
Audit Metadata