bug-bounty
Warn
Audited by Gen Agent Trust Hub on May 24, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install various third-party security tools from GitHub repositories of individual developers and unofficial sources (e.g.,
kiterunnerfromassetnote,subzyfromLukaSikic, andsisakulint). - [COMMAND_EXECUTION]: The workflow involves the extensive use of shell commands for network scanning, fuzzing, and automated auditing (e.g.,
ffuf,nuclei,subfinder, andsemgrep). - [DATA_EXFILTRATION]: Includes proof-of-concept templates designed to exfiltrate sensitive information, such as environment variables (
$GITHUB_ENV), to attacker-controlled external URLs. If the agent attempts to validate a finding by running these templates, it could expose its own host environment. - [PROMPT_INJECTION]: Uses high-priority directives like "THE ONLY QUESTION THAT MATTERS" and "STOP. Do not write" to override the agent's default behavior and response patterns.
- [METADATA_POISONING]: There is a clear discrepancy between the author identified in the context ("elementalsouls") and the source repository referenced in the installation instructions ("shuvonsec").
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from external websites, API responses, and remote source code.
- Ingestion points:
SKILL.md(via tools likekatana,waybackurls, andgaufetching from external URLs). - Boundary markers: Absent.
- Capability inventory:
curl,wget,subfinder,nuclei,semgrep,ffuf, and multiple package managers acrossSKILL.md. - Sanitization: No explicit sanitization or validation of external content is defined.
Audit Metadata