The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill processes untrusted data from external sources and possesses capabilities that could be exploited if that data contains malicious instructions.
Ingestion points: Processes potentially malicious content from remote web servers (nuclei_exposure, error_trigger, secretfinder_scan) and untrusted source code repositories (trufflehog_scan, gitleaks_scan, semgrep_secrets).
Boundary markers: Absent. The skill lacks delimiters or explicit instructions to ignore prompt injection attempts within the scanned files or web responses.
Capability inventory: Includes the ability to perform network operations (validation and probing) and read local file systems (scanning repositories).
Sanitization: No evidence of content sanitization or output encoding for data ingested from the target environments.
[Data Exposure & Exfiltration] (LOW): The credential_validator tool is designed to send discovered secrets to external services (e.g., AWS, GitHub, Slack) to verify their validity. Although this is the primary purpose of the skill, it involves the transmission of sensitive credentials over the network.
[Command Execution] (LOW): The skill interfaces with multiple external command-line utilities (trufflehog, gitleaks, nuclei, ffuf). While the signatures appear standard for pentesting, they execute subprocesses based on target URLs and paths provided during runtime.

pentest-secrets-exposure