dast-zap
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to run shell commands (Docker) using variable placeholders like
<target-url>. If the agent does not strictly sanitize the input provided for these placeholders, an attacker could perform command injection (e.g., by providing a URL likehttp://localhost; malicous_command). Additionally, mounting the current directory-v $(pwd):/zap/wrkgrants the container access to local files. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires pulling and running the
zaproxy/zap-stableDocker image. While OWASP ZAP is a reputable security tool, it is an external dependency from a source not included in the explicitly trusted list, necessitating verification of the image's integrity. - [PROMPT_INJECTION] (MEDIUM): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from external web applications via ZAP scan results. If a scanned application returns malicious payloads (e.g., in headers or page titles) that are then reflected in the
zap-results.jsonalerts, the agent might interpret those alerts as instructions when performing the 'Parse the results' and 'Summarize' steps. - Ingestion points: Reading
zap-baseline-results.json,zap-full-results.json, andzap-api-results.json. - Boundary markers: None. The instructions tell the agent to "Read JSON output and present findings" without specifying delimiters for untrusted content.
- Capability inventory: Execution of shell commands via
docker run. - Sanitization: None specified in the skill instructions.
Recommendations
- AI detected serious security threats
Audit Metadata