skills/mukul975/anthropic-cybersecurity-skills/performing-authenticated-scan-with-openvas/Gen Agent Trust Hub
performing-authenticated-scan-with-openvas
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: Administrative passwords for the GVM service are passed via command-line arguments in scripts/agent.py and scripts/process.py, exposing them to local process monitoring.
- [CREDENTIALS_UNSAFE]: The skill reads sensitive local files, such as SSH private keys, to facilitate authenticated scanning as described in scripts/process.py and SKILL.md.
- [CREDENTIALS_UNSAFE]: Documentation in assets/template.md recommends granting service accounts NOPASSWD sudo access to /etc/shadow on target hosts, creating a significant privilege escalation vector.
- [COMMAND_EXECUTION]: The skill automates vulnerability scanning by interacting with the GVM daemon via a local Unix socket and the gvm-cli tool.
- [EXTERNAL_DOWNLOADS]: Installation steps fetch configuration files from greenbone.github.io, which is recognized as a well-known and trusted source for the OpenVAS project.
Audit Metadata