Skills
skills/wgpsec/aboutsecurity/harbor-exploit/Gen Agent Trust Hub

harbor-exploit

Fail

Audited by Gen Agent Trust Hub on Apr 22, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill documentation and scripts contain hardcoded default credentials for Harbor administrative accounts (admin:Harbor12345).
  • [DATA_EXFILTRATION]: Automated Python scripts (enumerate_harbor) are provided to perform unauthorized enumeration of projects and repositories on remote Harbor instances, specifically designed to leak private image data and pull commands (CVE-2022-46463).
  • [COMMAND_EXECUTION]: The skill includes instructions for the agent to execute shell commands (docker login, docker tag, docker push) and Python scripts using the requests library to perform network-based exploitation of remote targets.
  • [REMOTE_CODE_EXECUTION]: While not directly executing code on the agent's host, the skill provides functional exploit code (CVE-2019-16097) to remotely create unauthorized administrator accounts on vulnerable Harbor installations.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 22, 2026, 10:07 AM