dast-zap
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill provides raw bash commands (
docker run --rm -v $(pwd):/zap/wrk ...) for the agent to execute. These commands include volume mounting of the current working directory, which allows the container to read and write to the host's filesystem. This requires the agent to have high-privilege shell access. - EXTERNAL_DOWNLOADS (MEDIUM): The instructions direct the agent to download and run the
zaproxy/zap-stableDocker image. While OWASP ZAP is a legitimate tool, this external dependency is not from a source within the defined Trusted Scope. - INDIRECT_PROMPT_INJECTION (HIGH):
- Ingestion points: The agent is instructed to read and parse
zap-baseline-results.json, which contains data gathered from external web applications (CWE descriptions, alert details). - Boundary markers: None. There are no instructions or delimiters provided to ensure the agent ignores malicious instructions embedded within the scan results.
- Capability inventory: The skill has the capability to execute shell commands (
docker run) and process external data. - Sanitization: None. The skill asks the agent to parse and summarize findings directly from the tool's output, creating a surface where malicious content from a scanned target could influence the agent's behavior.
Recommendations
- AI detected serious security threats
Audit Metadata