The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides a wide array of shell commands for the agent to execute, including network scanning (nmap), web fingerprinting (whatweb), and vulnerability exploitation (nuclei, curl). These commands are intended to be run against external targets.
[EXTERNAL_DOWNLOADS]: The instructions reference several third-party security tools and exploit scripts such as JNDIExploit.jar, shiro_attack.jar, and spring4shell.py. While the skill does not include an automated download command (e.g., curl | bash), it directs the agent to locate and execute these external dependencies, which poses a supply-chain risk if sourced from unverified repositories.
[REMOTE_CODE_EXECUTION]: The skill guides the agent in constructing and executing remote code execution payloads (e.g., Log4j JNDI injection, Spring4Shell). These payloads often involve connecting back to external infrastructure (ATTACKER_IP, DNSLOG), which is the standard operational mode for this skill's intended purpose but involves inherent risk.
[PROMPT_INJECTION]: The skill exhibits vulnerability to indirect prompt injection due to its processing of untrusted external content.
Ingestion points: Untrusted data enters the agent's context through HTTP response headers/bodies from target servers, community-contributed Nuclei templates, and GitHub-sourced PoC scripts.
Boundary markers: There are no explicit instructions or delimiters used to separate untrusted data from the agent's instructions, nor are there warnings for the agent to ignore instructions embedded in the target data.
Capability inventory: The skill utilizes high-privilege capabilities including full shell access, the ability to run arbitrary Java and Python code, and broad network access.
Sanitization: No sanitization or validation logic is defined for the data retrieved from external network targets before it is displayed to the user or used in follow-up terminal commands.

cve-exploit-methodology