hunt-aspnet
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it is designed to ingest and analyze untrusted data from external web servers.
- Ingestion points: Target server responses (HTML bodies and headers) are fetched via
requestsandcurlfor analysis. - Boundary markers: There are no specific delimiters or instruction-ignore markers wrapping the content processed from external targets.
- Capability inventory: The skill possesses network capabilities (via
curland Pythonrequests) and the ability to process and report on extracted data. - Sanitization: Data extracted from target responses (such as ViewState values) is handled via regular expressions but is not sanitized against adversarial instructions before being presented to the agent.
- [REMOTE_CODE_EXECUTION]: Provides a diagnostic Python script that utilizes the
requestslibrary to test server-side parsing logic. The script does not execute remote code locally or perform unsafe operations likeeval()on data received from the network. - [COMMAND_EXECUTION]: Contains example
curlcommands for fingerprinting server configurations and checking for the presence of diagnostic endpoints liketrace.axd. These are standard security auditing procedures. - [DATA_EXFILTRATION]: Network activity is restricted to probing user-defined targets for vulnerability research. No logic was found that attempts to exfiltrate local secrets, credentials, or system information to unauthorized third parties.
Audit Metadata