Red Team Tools and Methodology
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill's core functionality is built upon executing a wide array of security tools (Amass, Nuclei, Ffuf, etc.) through shell commands. It includes a complete bash script template (
recon.sh) that would grant the AI agent arbitrary command execution capabilities on the host system.\n- [PROMPT_INJECTION] (HIGH): The skill has a significant vulnerability surface for indirect prompt injection. \n - Ingestion points: Untrusted target domain names provided by the user and external data (URLs, paths) harvested from third-party services like the Wayback Machine and GAU.\n
- Boundary markers: None are present. Instructions do not define delimiters for user-provided strings.\n
- Capability inventory: Subprocess execution (via shell), file system modification (writing results to files), and unrestricted network access to target infrastructure.\n
- Sanitization: There is no evidence of input validation. The
recon.shscript and one-liners use direct shell interpolation (e.g.,subfinder -d "$domain"), allowing a malicious domain string to execute arbitrary commands (e.g.,example.com; rm -rf /).\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The instructions suggest installing external Go-based tools at runtime and reference local scripts likeparamspider.pythat are not contained within the skill, potentially leading to the execution of unverified code.\n- [DATA_EXFILTRATION] (MEDIUM): The skill performs extensive outbound network requests to third-party reconnaissance services and user-defined target systems, creating a channel for potential data leakage or unauthorized scanning.
Recommendations
- AI detected serious security threats
Audit Metadata