Skills
skills/jd-opensource/joysafeter/pentest-vuln-verify-test/Gen Agent Trust Hub

pentest-vuln-verify-test

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE] (HIGH): The script scan_demo.sh contains hardcoded authentication and session cookies for reg.jd.com (e.g., pinId, light_key, TrackID). This represents a leak of sensitive session data.
  • [COMMAND_EXECUTION] (LOW): verify.sh dynamically constructs curl commands. While it uses array-based execution to mitigate shell injection, the ability to specify arbitrary URLs and headers allows for unauthorized network requests (SSRF).
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted input through URLs and cookies without sanitization. Evidence: 1. Ingestion points: URL and COOKIE parameters in verify.sh. 2. Boundary markers: None present. 3. Capability inventory: Subprocess execution of curl in verify.sh. 4. Sanitization: No input validation or escaping is performed on parameters.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 05:57 PM