Skills
skills/elementalsouls/claude-bughunter/hunt-ato/Gen Agent Trust Hub

hunt-ato

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill includes shell command templates for common security tools such as ffuf, curl, hashcat, and dig. these tools are used to test the security posture of target web applications.
  • [EXTERNAL_DOWNLOADS]: Instructions guide the user to fetch configuration files, like jwks.json, from the target's public directories for JWT analysis.
  • [DATA_EXFILTRATION]: The guide describes out-of-band verification techniques using services like Burp Collaborator to confirm the leakage of sensitive tokens.
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes external data like JWT payloads and API responses (Ingestion points in SKILL.md). It lacks explicit boundary markers or input sanitization, while maintaining shell execution capabilities (Capability inventory: curl, python3 in SKILL.md).
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 04:05 PM
Security Audit — agent-trust-hub — hunt-ato