The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script scripts/agent.py accepts sensitive Nessus API keys (access_key and secret_key) via command-line arguments, which can be exposed in system process lists or shell history files.
[CREDENTIALS_UNSAFE]: The NessusClient in scripts/agent.py is configured to disable SSL certificate verification (verify=False), making API communications vulnerable to Man-in-the-Middle (MITM) attacks.
[COMMAND_EXECUTION]: The scripts/process.py utility performs remote command execution on target hosts using SSH and WinRM to verify credential validity and privilege levels.
[COMMAND_EXECUTION]: In scripts/process.py, the SSH validation uses paramiko.AutoAddPolicy(), which automatically accepts unknown host keys, bypassing the security protection against host impersonation.
[CREDENTIALS_UNSAFE]: The instructions in SKILL.md guide users to grant high-level privileges to service accounts, including adding them to the 'Domain Admins' group or granting passwordless sudo access to sensitive files like /etc/shadow, which presents a significant security risk if the scanner or its credentials are compromised.

performing-authenticated-vulnerability-scan