injection
Fail
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides extensive reference material and specific payloads for achieving remote code execution across multiple platforms. This includes OS command injection one-liners (reverse shells) in reference/os-command-injection-cheat-sheet.md, SSTI class traversal payloads for Python, Java, and Ruby in reference/ssti-advanced.md, and database-specific RCE techniques such as MSSQL's
xp_cmdshelland SQLite'sload_extension()in reference/sql-injection-advanced.md. - [COMMAND_EXECUTION]: Several functional Python scripts are included (e.g., in
reference/nosql-injection-advanced.mdandreference/sql-injection-advanced.md) that automate the process of testing for vulnerabilities. These scripts construct and execute complex network requests using therequestslibrary to probe target systems with injection payloads. - [DATA_EXFILTRATION]: The skill documentation and scripts describe sophisticated methods for extracting sensitive data from compromised systems. This includes character-by-character extraction using regular expressions in NoSQL (reference/nosql-injection-advanced.md), and time-based or out-of-band (DNS/HTTP) exfiltration techniques for SQL and XXE vulnerabilities found throughout the reference documents.
- [CREDENTIALS_UNSAFE]: The documentation identifies high-value targets for file retrieval, including sensitive system files like
/etc/shadow, private SSH keys (id_rsa), and application environment files (.env), providing exact payloads to access these locations in the OS Command Injection and SQL Injection reference files.
Recommendations
- CRITICAL: 1 infected file(s) detected - DO NOT USE
Audit Metadata