pentest-ai-agents
Audited by Snyk on May 18, 2026
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt includes many insecure patterns that require exposing secrets verbatim (e.g., Python POCs that print AWS AccessKey/Secret/Token, CLI examples embedding plaintext passwords/API keys like 'Password123' or curl/CLI auth tokens, and phishing/capture flows), so an agent would be expected to output secret values directly.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs include direct installer scripts (raw.githubusercontent.com and curl|bash-style install.sh), an unknown GitHub user repo, non-official domains and cloneable repos, plus example exploit/SSRF endpoints to cloud metadata and internal hosts — all of which are high-risk vectors for distributing or executing malicious code if treated as authoritative and run locally.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). The skill contains explicit, actionable and execution-ready instructions for credential theft (phishing, Evilginx), data exfiltration (SSRF to cloud metadata, uploading/storing stolen creds), remote code execution and persistence (reverse shells, process injection, cron/systemd backdoors), privilege escalation and lateral movement (AD SPN/kerberoast, container/docker.sock escape), payload obfuscation/AV-evasion (XOR/base64, AMSI/ETW bypass), C2 usage (Cobalt Strike/Sliver), and a supply-chain risk (curl|bash install from raw GitHub)—all of which are high-risk patterns that can be used deliberately for malicious abuse outside authorized testing.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs agents (e.g., osint-collector, web-hunter, phishing-operator) to run tools like subfinder/amass/theHarvester, query breach databases (dehashed), and wget/mirror public SSO/login pages — all open/public third‑party content that the agents parse and act on to drive follow-up exploitation and tooling decisions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The README explicitly instructs executing remote install code (curl -fsSL https://raw.githubusercontent.com/0xSteph/pentest-ai-agents/main/install.sh | bash) and/or cloning the repo (git clone https://github.com/0xSteph/pentest-ai-agents.git) which fetches and runs code that installs agent files (prompts/behaviors), so these URLs are runtime external dependencies that execute remote code and supply the agent instructions.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill includes explicit install scripts (curl|bash), commands that require sudo/package installs, and examples that create persistence and modify host system files (cron, systemd, SSH keys, docker host escape), so it directly instructs actions that change the machine state and enable privileged modifications.
Issues (6)
Insecure credential handling detected in skill instructions.
Suspicious download URL detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Attempt to modify system services in skill instructions.