The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The turbo_intruder tool defined in references/tools.md accepts a payload_generator parameter, which is explicitly described as a "Python script for payload generation." This allows for the dynamic execution of arbitrary Python code within the agent's environment.
[COMMAND_EXECUTION] (HIGH): The skill implements wrappers for several powerful exploitation tools, including sqlmap, nuclei, and playwright. The sqlmap_exploit and nuclei_validate functions allow the agent to launch sophisticated attacks against target infrastructure directly from its command line.
[DATA_EXFILTRATION] (HIGH): The workflow in references/workflows.md (specifically ssrf_exploit and injection_exploit) includes instructions to target the cloud metadata endpoint (169.254.169.254) and perform data exfiltration as proof of impact. This poses a significant risk to sensitive environment configurations and internal data.
[PROMPT_INJECTION] (LOW): (Category 8: Indirect Prompt Injection) The skill is vulnerable to indirect injection because it ingests an external exploitation queue JSON (as seen in SKILL.md Core Workflow).
Ingestion points: Queue Intake step parses exploitation queue JSON provided as input.
Boundary markers: Absent; no delimiters or warnings are used to prevent the agent from obeying instructions embedded in the JSON fields (e.g., bypass_hypothesis).
Capability inventory: Full subprocess calls via sqlmap, curl, and nuclei; dynamic Python execution via turbo_intruder; browser-based XSS execution via playwright.
Sanitization: None; the skill blindly follows the instructions and parameters provided in the queue to execute attacks.

pentest-exploit-validation