WebAssessment

The WebAssessment skill presents a coherent, modular approach to security assessment with recon, threat modeling, and pentest workflows. Its on-host orchestration, customization hooks, and local tool invocations are appropriate for an integrated security workflow but introduce non-trivial host IPC, runtime dependencies, and tight workspace coupling. The most notable risks are the mandatory localhost notification mechanism and the reliance on locally-sourced tooling (bun-based TS scripts) which require stringent access controls, version pinning, and integrity verification. Overall, risk is moderate; no explicit malicious activity is evident in this fragment, but the host-centric design warrants careful environment hardening and explicit authorization checks.

This fragment is an explicit exploitation and PoC guide containing concrete payloads, tool commands, and reproduction steps for a broad set of web vulnerabilities (SQLi, XSS, CSRF, SSRF, XXE, file upload, auth/authorization faults). It is dual-use: appropriate and valuable for authorized security testing, but it materially lowers the effort for malicious actors if distributed without controls. There is no evidence of obfuscated code or an automated backdoor in the fragment itself, and no hard-coded credentials were found. Treat inclusion of this document in public packages or repositories as a moderate-to-high misuse risk; sanitize examples or restrict distribution to authorized testers.