Skills
skills/elementalsouls/claude-bughunter/bb-local-toolkit/Gen Agent Trust Hub

bb-local-toolkit

Fail

Audited by Gen Agent Trust Hub on May 24, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The installation section provides shell commands (curl -s ... -o and git clone) to download the skill itself from an external GitHub repository (shuvonsec/claude-bug-bounty) that does not match the stated author (elementalsouls). It also facilitates the execution of numerous unverified third-party binaries.
  • [EXTERNAL_DOWNLOADS]: The skill provides instructions to download tools and configurations from untrusted third-party sources, including github.com/assetnote, github.com/LukaSikic, github.com/shuvonsec, and usestrix.com, which are not recognized as trusted vendors.
  • [PROMPT_INJECTION]: The skill uses strong imperative language in the "CRITICAL RULES" and "THE ONLY QUESTION THAT MATTERS" sections (e.g., "STOP. Do not write. Do not explore further. Move on.", "KILL THESE IMMEDIATELY") to override the agent's default operational behavior and safety filters.
  • [COMMAND_EXECUTION]: Provides a vast arsenal of pre-configured shell commands for reconnaissance, automated scanning (nuclei, ffuf), and vulnerability exploitation, granting the agent high levels of autonomous system access.
  • [DATA_EXFILTRATION]: While intended for security research, the skill provides methodology and specific commands (e.g., SSRF for cloud metadata, exfiltrating PII) that could be leveraged by a malicious actor to harvest sensitive information from the local environment or internal network.
  • [INDIRECT_PROMPT_INJECTION]: The skill defines a large vulnerability surface by automating the ingestion of untrusted content from targets (HackerOne scopes, crawled URLs, source code) and piping it into high-privilege tools without boundary markers or sanitization.
  • Ingestion points: HackerOne GraphQL API, subfinder output, katana crawls, and grep operations on local/remote source code.
  • Boundary markers: None present to separate untrusted data from agent instructions.
  • Capability inventory: Subprocess execution for Go/Python tools, network operations (curl, httpx), and file system writes.
  • Sanitization: No evidence of input validation or escaping before interpolation into tool commands.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 24, 2026, 01:58 AM
Security Audit — agent-trust-hub — bb-local-toolkit