skills/mukul975/anthropic-cybersecurity-skills/executing-phishing-simulation-campaign/Gen Agent Trust Hub
executing-phishing-simulation-campaign
Warn
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill is explicitly designed for credential harvesting. The associated script
scripts/agent.pyenables the capture of user passwords in its API requests to the GoPhish platform by settingcapture_passwordstoTrue. - [DATA_EXFILTRATION]: The Python script
scripts/agent.pydisables SSL certificate verification by default in theGoPhishClientclass and during the creation of SMTP sending profiles. This configuration exposes sensitive data, including API keys and captured credentials, to potential man-in-the-middle (MitM) attacks. - [COMMAND_EXECUTION]: The
SKILL.mdinstructions guide the user through the setup and execution of various offensive security frameworks such as GoPhish, Evilginx2, King Phisher, and the Social Engineering Toolkit (SET). - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests untrusted data (target email lists and GoPhish API responses) in
scripts/agent.pyand processes it for reporting without explicit sanitization, boundary markers, or delimiters. - [CREDENTIALS_UNSAFE]: The automation script
scripts/agent.pyrequires the GoPhish API key to be passed as a command-line argument, which can result in the credential being exposed in shell history or system process logs.
Audit Metadata