skills/mukul975/anthropic-cybersecurity-skills/performing-soap-web-service-security-testing/Gen Agent Trust Hub
performing-soap-web-service-security-testing
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes the
requestslibrary to fetch WSDL documentation from remote URLs for service analysis and endpoint discovery. - [COMMAND_EXECUTION]: The Python scripts in
SKILL.mdandscripts/agent.pyperform HTTP POST requests to transmit security testing payloads (e.g., XML injection, SQL injection) to target SOAP services. - [DATA_EXFILTRATION]: The skill contains diagnostic payloads designed to detect vulnerabilities by attempting to read sensitive system files (e.g.,
/etc/passwd) or initiate out-of-band interactions with an external domain (attacker.example.com). These behaviors are restricted to the testing context. - [PROMPT_INJECTION]: The skill ingests untrusted XML data from external WSDL files, representing a surface for indirect injection.
- Ingestion points: Response content from remote URLs in
scripts/agent.pyandSKILL.md. - Boundary markers: None implemented for the parsed XML data.
- Capability inventory: The script performs network operations and parses XML structures with
lxmlandetree. - Sanitization: No explicit sanitization or schema validation is applied to the retrieved WSDL content beyond basic parsing.
Audit Metadata