The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill facilitates downloading web content, including JavaScript files and configuration files from remote servers, as part of its scanning functionality in scripts/agent.py.\n- [COMMAND_EXECUTION]: SKILL.md provides various command-line instructions using curl, grep, and jq to perform manual assessments of sensitive data exposure on remote targets.\n- [DATA_EXFILTRATION]: The tool is specifically designed to scan for and collect credentials, API keys, and personally identifiable information (PII) from web applications. While intended for security audits, this functionality handles highly sensitive data and could be misused for data harvesting.\n- [PROMPT_INJECTION]: The skill has an indirect injection surface where it processes untrusted data from a target website to determine its next network operations (Category 8).\n
Ingestion points: scripts/agent.py (line 41) extracts script URLs from the HTML source of the target URL via regular expressions.\n
Boundary markers: No delimiters or warnings are used when processing the extracted URLs or the content of the downloaded scripts.\n
Capability inventory: The script uses requests.get (line 53) to fetch discovered JavaScript files and checks them for secrets, and check_config_files (line 79) to probe for sensitive paths like .aws/credentials.\n
Sanitization: There is no validation or sanitization of discovered URLs before they are used in subsequent network requests.

testing-for-sensitive-data-exposure