The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill processes untrusted data from external sources including web page content (via Playwright and Katana) and application source code (via Semgrep and Ripgrep). * Ingestion points: Target URLs, HTTP response bodies, and source code files. * Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore potentially malicious directions embedded in the target data. * Capability inventory: The skill possesses extensive system and network capabilities through tools like nmap and Playwright. * Sanitization: There is no evidence of sanitization for the content retrieved from external targets before it is analyzed by the LLM.
Data Exposure & Exfiltration (LOW): The skill requires plaintext credentials (usernames and passwords) to perform authenticated crawling as defined in the playwright_authenticated_crawl function in references/tools.md. While necessary for the skill's primary purpose, these credentials represent a sensitive data handling surface that could lead to exposure if the agent logs or includes them in its outputs inappropriately.
Command Execution (LOW): The skill functions as a wrapper for several powerful CLI tools such as nmap, ffuf, and subfinder. The logic relies on these external binaries being correctly configured and invoked. While the function signatures are structured, there is a risk of local command injection if the arguments (targets, ports, wordlist paths) are derived from untrusted user input without strict validation in the underlying implementation.

pentest-recon-attack-surface