security-pentest-planner
Warn
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to systematically identify and extract sensitive information from the application's environment. It specifically targets environment configuration files including
.env,.env.production, and.env.local. Additionally, it performs pattern searches for high-value secrets such asAWS_ACCESS_KEY,AWS_SECRET, andGOOGLE_APPLICATION_CREDENTIALS. Although instructions state that actual secret values should not be printed in the output, the retrieval of these secrets into the agent's context poses a significant data exposure risk. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool and shell commands to perform deep reconnaissance. It executes discovery tasks across the technology stack and infrastructure configurations, granting the agent a high degree of insight and control over the local filesystem and system metadata. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core function of reading and analyzing untrusted codebase files. It lacks boundary markers or instructions to ignore embedded commands, meaning malicious instructions placed in target source code or comments could manipulate the agent's behavior during the planning phase.
- [PROMPT_INJECTION]: Mandatory Evidence Chain for Indirect Prompt Injection:
- Ingestion points: Files identified via
Globand read via theReadtool (e.g.,package.json,routes.rb,*.ts,*.py). - Boundary markers: Absent. The skill does not define delimiters or provide warnings to the agent about ignoring instructions found within the analyzed files.
- Capability inventory: Filesystem access (
Read,Glob), search capabilities (Grep), and shell command execution (Bash). - Sanitization: Absent. The content of files is processed directly without filtering for potential command patterns or instructional text.
Audit Metadata