skills/mukul975/anthropic-cybersecurity-skills/performing-api-fuzzing-with-restler/Gen Agent Trust Hub
performing-api-fuzzing-with-restler
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the RESTler fuzzing engine from Microsoft's official GitHub repository (github.com/microsoft/restler-fuzzer). This is a well-known and trusted source for the tool and follows standard installation practices.
- [COMMAND_EXECUTION]: The script 'scripts/agent.py' uses 'subprocess.run' to execute the RESTler binary for API compilation and fuzzing campaigns. These commands are executed using argument lists, which is a secure practice to prevent shell injection.
- [CREDENTIALS_UNSAFE]: The documentation in 'SKILL.md' contains example credentials ('fuzzer@test.com' and 'FuzzerPass123!') within a sample authentication script. These are clearly marked for a simulated test environment ('example.com') and serve as educational placeholders.
- [PROMPT_INJECTION]: The skill processes external OpenAPI/Swagger specifications which serve as an ingestion point for potentially untrusted data.
- Ingestion points: OpenAPI specification files provided via the '--compile-spec' argument in 'scripts/agent.py'.
- Boundary markers: None explicitly defined in the wrapper script; the content is parsed by the RESTler compiler.
- Capability inventory: Subprocess execution for tool orchestration and local filesystem access for results analysis.
- Sanitization: Relies on the parsing and validation logic of the underlying RESTler compiler.
Audit Metadata