Skills
skills/aradotso/security-skills/pentest-ai-agents/Gen Agent Trust Hub

pentest-ai-agents

Fail

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The recommended installation method uses curl -fsSL https://raw.githubusercontent.com/0xSteph/pentest-ai-agents/main/install.sh | bash. This pattern executes code from a remote, untrusted source directly in the user's shell without opportunity for review, a classic high-risk attack vector.
  • [REMOTE_CODE_EXECUTION]: The skill recommends installing Ollama using curl -fsSL https://ollama.com/install.sh | sh. While the service is well-known, piping remote content to a shell remains a dangerous practice.
  • [COMMAND_EXECUTION]: The 'Tier 2' agents are explicitly designed to execute offensive security tools (e.g., nmap, nuclei, BloodHound, Impacket) on the local system. This creates a high-impact surface for arbitrary command execution under the guise of security testing.
  • [EXTERNAL_DOWNLOADS]: The installation script with the --tools flag downloads and installs a large number of third-party tools via multiple package managers (apt, brew, pipx, go, cargo). This introduces extensive supply chain risks from unverified external dependencies.
  • [DATA_EXFILTRATION]: Multiple agents (e.g., osint-collector, ad-attacker, recon-advisor) are designed to harvest sensitive data including domain information, credentials, and network topology. The collected data is stored in a local SQLite database (findings.db), which could be exfiltrated by malicious scripts within the skill's complex toolchain.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection as it is designed to ingest and analyze untrusted data from external targets, such as nmap XML scans, nuclei JSON reports, and raw web response data. Evidence chain:
  • Ingestion points: Data enters the context through nmap, nuclei, and BloodHound output files processed by recon-advisor and ad-attacker.
  • Boundary markers: No explicit boundary markers or 'ignore embedded instruction' warnings are documented for the data ingestion process.
  • Capability inventory: The skill has extensive capabilities including subprocess calls, file-write operations (findings.sh), and network access across its 35 agents.
  • Sanitization: There is no documentation of sanitization or validation of the external content before it is processed by the LLM.
Recommendations
  • HIGH: Downloads and executes remote code from: https://ollama.com/install.sh, https://raw.githubusercontent.com/0xSteph/pentest-ai-agents/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
May 18, 2026, 05:02 PM
Security Audit — agent-trust-hub — pentest-ai-agents