The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The documentation references several well-known security tools and wordlists hosted on GitHub, such as ffuf, Gobuster, and the SecLists repository. These are standard resources in the cybersecurity community.
[COMMAND_EXECUTION]: The agent.py script performs automated HTTP requests to a user-provided target URL to discover hidden endpoints. The script explicitly disables SSL verification (verify=False), which is a common but insecure practice for penetration testing tools that should be noted by users.
[DATA_EXFILTRATION]: The skill is designed to locate sensitive configuration and backup files (e.g., .env, .git/config, .sql) on remote target servers as part of its testing functionality.
[CREDENTIALS_UNSAFE]: The script accepts a session cookie as a command-line argument (--session-cookie) to perform comparative testing between authenticated and unauthenticated responses.
[INDIRECT_PROMPT_INJECTION]: The skill interacts with external web targets.
Ingestion points: Data enters the context via requests.get() responses from the target URL in scripts/agent.py.
Boundary markers: Absent.
Capability inventory: Network access via the requests library and file system access via open and json.dump.
Sanitization: No sanitization is performed on the responses or the paths discovered from the target web server.

bypassing-authentication-with-forced-browsing