The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The Dockerfile uses a pipe-to-shell pattern (curl ... | sh) to install Oh My Zsh. This executes unverified remote code during the build process from a source not on the trusted organization list.
[COMMAND_EXECUTION] (HIGH): The references/tools.md file defines an execute_command function, which allows the AI agent to run arbitrary shell commands on the host system, bypassing tool-specific constraints.
[PRIVILEGE_ESCALATION] (HIGH): The compose.yaml configuration specifies network_mode: host. This grants the container full access to the host's network stack, which significantly increases the attack surface and bypasses standard container network isolation.
[EXTERNAL_DOWNLOADS] (MEDIUM): The Dockerfile and build process download and install numerous security tools (Nuclei, Katana, Burp Suite, Kiterunner) from external sources (GitHub, PortSwigger) that are not included in the Trusted External Sources list.
[DATA_EXPOSURE] (MEDIUM): The compose.yaml file mounts the host path ~/.pentest/config to the container's /root/.config. This potentially exposes sensitive user configuration files or credentials to the agent environment.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill is designed to ingest large amounts of untrusted data from external websites via tools like katana, gau, and nuclei.
Ingestion points: Tools such as katana_crawl and httpx_probe return data from attacker-controlled web servers.
Boundary markers: There are no explicit instructions or delimiters used when the agent processes these external tool outputs.
Capability inventory: The skill possesses high-impact capabilities, including arbitrary command execution (execute_command) and file system access (/data volume).
Sanitization: The skill lacks evidence of sanitization or validation of the data returned from web-based reconnaissance tools.

seclens-enterprise-web