skills/mukul975/anthropic-cybersecurity-skills/performing-hash-cracking-with-hashcat/Gen Agent Trust Hub
performing-hash-cracking-with-hashcat
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/agent.pyinvokes thehashcatbinary usingsubprocess.run. The implementation uses a list-based argument structure, which is a defensive programming practice that mitigates common shell injection vulnerabilities. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external files. Ingestion points:
scripts/agent.py(lines 39, 53) reads hash values and wordlist content from local files. Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are present when processing external hash files. Capability inventory: The skill has the capability to execute shell commands viasubprocess.run(scripts/agent.py, line 67). Sanitization: No sanitization or validation is performed on the content of the ingested hash files beyond basic identification patterns. - [EXTERNAL_DOWNLOADS]: The documentation references external security resources and wordlists, such as Hashcat's official site, SecLists on GitHub, and NIST standards. These references point to well-known and trusted organizations within the cybersecurity domain and are used appropriately within the context of the skill's intended purpose.
Audit Metadata