The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The execute_command function in references/tools.md allows for unrestricted shell command execution. This provides a direct mechanism for an attacker to run arbitrary code on the underlying system if the agent is manipulated into executing malicious payloads.
COMMAND_EXECUTION (MEDIUM): Nearly all defined tool functions (e.g., prowler_scan, scout_suite_assessment, trivy_scan) accept an additional_args parameter. This is a dangerous pattern that permits command injection if the agent interpolates untrusted data into these arguments without strict validation or escaping.
PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core workflow. Evidence: 1. Ingestion points: The agent processes outputs from external security scanners such as trivy, prowler, and kube-hunter to inform its next steps as described in references/workflows.md. 2. Boundary markers: No delimiters or explicit 'ignore embedded instructions' warnings are defined in the tool definitions or workflow descriptions. 3. Capability inventory: The skill has access to powerful exploitation tools (pacu), arbitrary shell execution (execute_command), and the ability to write to the file system (output directories). 4. Sanitization: There is no indication of sanitization or structural validation for tool outputs before they are processed by the 'IntelligentDecisionEngine'.

pentest-cloud-infrastructure