hackthebox
Fail
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs administrative actions using
sudo. It modifies the system/etc/hostsfile to add target hostnames (workflow.md) and manages the OpenVPN service, including starting the daemon and terminating processes (vpn-setup.md).- [REMOTE_CODE_EXECUTION]: The skill implements a self-modifying logic loop where the/skill-updatecommand is used to rewrite the skill's own reference documentation and instructions based on "lessons learned" during automated exploitation sessions (skill-improvement.md,workflow.md).- [EXTERNAL_DOWNLOADS]: The skill configuration for browser automation usesnpx @playwright/mcp@latest. This command fetches and executes the latest version of the Playwright MCP server from the public npm registry at runtime without version pinning (cloudflare-bypass.md).- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it ingests untrusted data from external platforms that is then processed by agents with significant system capabilities. - Ingestion points: Challenge descriptions, machine metadata, and tech-stack information are read from the HackTheBox platform (
platform-navigation.md). - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used when agents process target data.
- Capability inventory: Agents have access to high-privilege shell commands (
sudo), system file modification, and the ability to update the skill's own instruction set. - Sanitization: No sanitization or validation is specified for the techniques and lessons extracted from exploitation logs before they are incorporated into the skill's permanent reference files.
Recommendations
- AI detected serious security threats
Audit Metadata