Skills
skills/steffen025/pai-opencode/Recon/Gen Agent Trust Hub

Recon

Fail

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The Tools/MassScan.ts script executes the masscan tool with sudo privileges to perform raw packet operations. This requirement for root access poses a high security risk if the tool or its inputs are compromised.\n- [EXTERNAL_DOWNLOADS]: The Workflows/UpdateTools.md workflow facilitates the remote updating and installation of numerous security binaries using the pdtm tool manager from ProjectDiscovery's infrastructure.\n- [COMMAND_EXECUTION]: Several workflows (e.g., PassiveRecon.md, IpRecon.md) perform automated status notifications by making unauthenticated POST requests to a local service (http://localhost:8888/notify) via curl.\n- [REMOTE_CODE_EXECUTION]: The SKILL.md file implements a customization mechanism that dynamically loads and executes configurations or resources from a specific local directory path (~/.opencode/skills/CORE/USER/SKILLCUSTOMIZATIONS/Recon/), allowing for local code execution based on the contents of that directory.\n- [PROMPT_INJECTION]: The Workflows/AnalyzeScanResultsGemini3.md workflow is vulnerable to indirect prompt injection as it feeds raw, potentially attacker-influenced scan data directly into a high-reasoning LLM prompt.\n
  • Ingestion points: Reads scan results from files like $SCAN_FILE (Nmap, Masscan, HTTPx outputs) and processes content from external JavaScript files discovered via Tools/EndpointDiscovery.ts.\n
  • Boundary markers: Uses Markdown triple backticks to enclose scan results but lacks explicit negative constraints to prevent the LLM from following instructions embedded within the scan data.\n
  • Capability inventory: The skill has broad execution capabilities, including shell access, file writing in the home directory, and network operations with administrative privileges.\n
  • Sanitization: No sanitization or filtering is performed on the ingested scan data or JavaScript content before it is processed by the LLM.\n- [EXTERNAL_DOWNLOADS]: Tools/BountyPrograms.ts fetches a list of bounty programs from a public GitHub repository maintained by ProjectDiscovery (raw.githubusercontent.com/projectdiscovery/public-bugbounty-programs/main/chaos-bugbounty-list.json).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 5, 2026, 07:38 AM