The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill recommends downloading the XXEinjector exploitation tool from a third-party GitHub repository (enjoiz/XXEinjector) which is not part of the verified trusted vendors list.
[REMOTE_CODE_EXECUTION]: Provides instructions to clone and potentially execute code from an external repository (XXEinjector). While common in security workflows, this represents an unverifiable dependency risk.
[COMMAND_EXECUTION]: Includes numerous shell commands for manual testing, such as curl for interacting with web APIs, python -m http.server for hosting malicious DTD files, and archive utilities like zip/unzip for manipulating XML-based file formats like DOCX and XLSX.
[DATA_EXFILTRATION]: Contains multiple XML payloads and automated routines in scripts/agent.py designed to exfiltrate sensitive server data, including /etc/passwd, Windows configuration files, and cloud environment metadata via SSRF.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to the processing of untrusted data from target server responses.
Ingestion points: The test_xxe_payloads function in scripts/agent.py captures and evaluates resp.text from the target server to detect successful injection.
Boundary markers: No delimiters or safety instructions are used to prevent the agent from being influenced by malicious content returned in the target response body.
Capability inventory: The script has the capability to perform network requests via requests.post and write findings to the local filesystem via generate_report.
Sanitization: There is no evidence of sanitization or filtering of the captured response content before it is used in the agent's logic.

testing-for-xxe-injection-vulnerabilities