The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The documentation describes the installation of the security tool 'dalfox' from its public GitHub repository (github.com/hahwul/dalfox) using the Go toolchain.
[COMMAND_EXECUTION]: The scripts/agent.py utility performs automated network operations, including HTTP GET and POST requests, against target URLs provided by the user for vulnerability assessment.
[DATA_EXFILTRATION]: The skill documentation includes educational examples of XSS payloads that demonstrate the exfiltration of sensitive data, such as cookies, to an external server (attacker-server.example.com).
[PROMPT_INJECTION]: The scripts/agent.py script presents a surface for indirect prompt injection by ingesting and parsing untrusted HTML content from remote web servers.
Ingestion points: The script fetches and parses text from user-defined base_url and discovered form actions/links in scripts/agent.py.
Boundary markers: No delimiters or instructions are used to separate untrusted web content from processing logic.
Capability inventory: The script possesses network capabilities (requests.get, requests.post) but does not execute data via eval() or system() calls.
Sanitization: No sanitization or filtering is performed on the ingested HTML content during reflection analysis.

testing-for-xss-vulnerabilities-with-burpsuite