endpoint-validator
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its ingestion of untrusted repository files. Specifically, Phase 1, Step 1 directs the agent to 'Read repository CLAUDE.md' and 'follow any repository-level CLAUDE.md'. Malicious instructions placed in this file could override the agent's behavior.
- Ingestion points: CLAUDE.md, endpoints.json, tests/endpoints.json.
- Boundary markers: Absent. The skill lacks delimiters or 'ignore embedded instructions' warnings for the data it processes.
- Capability inventory: Includes Bash (running curl), Read, Write, Glob, and Edit in SKILL.md.
- Sanitization: Absent. No filtering or validation of external file content is implemented before the agent interprets the instructions.
- Mitigation: External content should be wrapped in clear delimiters with instructions to treat the content as data only.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute curl commands with parameters such as URL, path, and headers sourced from local configuration files (endpoints.json). This pattern is vulnerable to Server-Side Request Forgery (SSRF) if an attacker provides a configuration file that targets internal network resources or cloud metadata services (e.g., 169.254.169.254).
- Mitigation: The agent should validate that the base_url matches expected patterns and restrict access to sensitive internal IP ranges.
Audit Metadata