Skills
skills/mukul975/anthropic-cybersecurity-skills/testing-api-for-broken-object-level-authorization/Gen Agent Trust Hub

testing-api-for-broken-object-level-authorization

Fail

Audited by Gen Agent Trust Hub on Mar 15, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Automated analysis and manual inspection identified a high-risk command pattern that pipes remote content from an external URL directly into the Python interpreter.
  • Evidence: curl -s https://target-api.example.com/api/docs/swagger.json | python3 in SKILL.md as flagged by the automated security alerts. While the documentation also shows the use of the -m json.tool flag, the base pattern of piping unvalidated remote content to an interpreter is a dangerous practice that can lead to arbitrary code execution.
  • [COMMAND_EXECUTION]: The skill provides instructions and a specialized script to execute various system commands and network operations.
  • Evidence: Extensive use of curl, python3, and the web fuzzer ffuf within the SKILL.md workflow for reconnaissance and data retrieval.
  • Evidence: The scripts/agent.py file uses the requests library to perform automated network requests to user-defined API endpoints.
  • [EXTERNAL_DOWNLOADS]: The skill fetches documentation and data from remote servers to drive its security testing logic.
  • Evidence: Workflow steps in SKILL.md involve downloading OpenAPI/Swagger specifications from target-api.example.com.
  • [CREDENTIALS_UNSAFE]: The methodology for testing authorization vulnerabilities involves the manual capture and handling of sensitive authentication secrets.
  • Evidence: Code examples in SKILL.md demonstrate storing JSON Web Tokens (JWTs) and session cookies in plain text string variables.
  • Evidence: The testing workflow requires the management of multiple distinct tokens for different test users, increasing the risk of exposure.
  • [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it ingests and processes data from external, potentially untrusted API endpoints.
  • Ingestion points: Data is ingested into the agent's context through API response parsing in scripts/agent.py and JSON parsing in SKILL.md shell commands.
  • Boundary markers: The skill does not implement boundary markers or instructions to ignore potential commands embedded in the fetched JSON data.
  • Capability inventory: The scripts/agent.py component has the capability to perform network requests (requests) and write files to the disk (json.dump).
  • Sanitization: There is no evidence of sanitization or strict schema validation for the external API payloads before they are consumed and acted upon by the agent.
Recommendations
  • HIGH: Downloads and executes remote code from: https://target-api.example.com/api/docs/swagger.json - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 15, 2026, 01:52 PM