The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill facilitates the execution of ffuf commands on the host system. If user-supplied inputs such as target URLs, header values, or wordlist paths are not strictly sanitized, an attacker could achieve arbitrary command injection via shell metacharacters.
[PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8, Tier: HIGH). Evidence: 1. Ingestion points: The agent is instructed to 'interpret the results,' which involves reading HTTP headers and bodies from untrusted web targets. 2. Boundary markers: No delimiters or instructions are used to distinguish target data from system prompts. 3. Capability inventory: The agent can execute commands (ffuf) and write files via the ffuf_helper.py script. 4. Sanitization: There is no evidence of sanitization or filtering of the remote content before the agent processes it. An attacker-controlled server could return malicious instructions in a response to hijack the agent session.
[EXTERNAL_DOWNLOADS] (LOW): The documentation directs users to install ffuf and SecLists from GitHub. While these sources (github.com/ffuf and github.com/danielmiessler) are recognized as reputable under the [TRUST-SCOPE-RULE], the process of downloading and running external security tools and large datasets represents a significant attack surface.
[CREDENTIALS_UNSAFE] (LOW): The REQUEST_TEMPLATES.md file contains hardcoded example credentials, including 'Basic YWRtaW46cGFzc3dvcmQxMjM=' (admin:password123) and dummy JWT tokens. While meant as placeholders, these provide insecure defaults.

ffuf-web-fuzzing