sast-xxe
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill relies on external files such as sast/architecture.md and intermediate outputs like sast/xxe-recon.md to guide its subagents, creating a surface for indirect prompt injection.
- Ingestion points: The architecture summary from sast/architecture.md and the list of vulnerable sites from sast/xxe-recon.md are passed directly to subagents as context.
- Boundary markers: There are no explicit delimiters or instructions to the subagents to ignore potential commands or adversarial instructions within the ingested metadata.
- Capability inventory: The skill manages subagents, performs filesystem writes (sast/xxe-results.md), and generates functional exploit payloads and curl commands.
- Sanitization: The skill does not perform validation, escaping, or sanitization on the content of the architecture file or recon results before processing them.
- [COMMAND_EXECUTION]: The skill's instructions require the agent to generate functional curl commands and XXE payloads targeting sensitive system files (e.g., /etc/passwd) as part of the output report. While these are intended for verification, they constitute a capability to generate and suggest the execution of dangerous commands based on analyzed input.
Audit Metadata