The Agent Skills Directory

[DATA_EXFILTRATION]: The Python agent (scripts/agent.py) initiates network requests to target URLs specified by the user. This is standard behavior for an API security testing tool to perform its intended function.\n- [COMMAND_EXECUTION]: The skill's workflow relies on several command-line utilities, including curl for manual testing and a custom Python agent for automated parameter injection against remote systems.\n- [EXTERNAL_DOWNLOADS]: Documentation references external security tools such as Arjun, Nuclei, and Burp Suite. These are well-known industry-standard tools used by security researchers.\n- [CREDENTIALS_UNSAFE]: The skill demonstrates handling API tokens for authorized access to endpoints. The automation script accepts these tokens as command-line arguments to include in request headers.\n- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes external API responses.\n
Ingestion points: Target API response bodies and the --data CLI argument in scripts/agent.py.\n
Boundary markers: None present in the automation script or prompts.\n
Capability inventory: The agent can perform arbitrary GET, POST, PUT, and PATCH requests using the requests library.\n
Sanitization: JSON data is parsed using json.loads, but no specific sanitization of string content is performed before further processing.\n- [SAFE]: The automation script explicitly disables SSL certificate verification (verify=False). While typically a security risk, this is a common practice in web application security testing to allow for traffic interception via debugging proxies.

exploiting-mass-assignment-in-rest-apis