skills/mukul975/anthropic-cybersecurity-skills/testing-for-xxe-injection-vulnerabilities/Gen Agent Trust Hub
testing-for-xxe-injection-vulnerabilities
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The SKILL.md file contains numerous shell commands utilizing
curlfor interacting with XML APIs,catfor generating malicious SVG and DTD files, andpython3 -m http.serverfor hosting payloads during out-of-band testing. - [EXTERNAL_DOWNLOADS]: The documentation recommends cloning the
XXEinjectorrepository from GitHub to facilitate automated exploitation, which is a standard tool in security testing workflows. - [DATA_EXFILTRATION]: The primary objective of the skill is to teach and automate the extraction of sensitive files (such as
/etc/passwdor application configurations) and cloud environment metadata from a target server via XXE injection. - [SAFE_PRACTICE]: The included agent script (
scripts/agent.py) demonstrates safe XML parsing using thedefusedxmllibrary, which is a recommended security best practice to prevent XXE vulnerabilities in the agent's own processing.
Audit Metadata