Skills
skills/workersio/skills/kage/Gen Agent Trust Hub

kage

Warn

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill implements an 'exploit and verify' loop where it generates Python-based proof-of-concept scripts and subsequently executes them to confirm vulnerabilities. This represents automated execution of AI-generated code which may be influenced by untrusted data from the target.
  • [COMMAND_EXECUTION]: The skill core utilizes a host-side shim that executes arbitrary commands within a Docker container. The agent has broad capability to construct and run shell commands as part of the reconnaissance and testing phases. Additionally, internal scripts like 'gitmail.py' use subprocess execution to run external tools.
  • [EXTERNAL_DOWNLOADS]: The Dockerfile installs numerous security tools from official and third-party GitHub repositories (e.g., ProjectDiscovery, TomNomNom, FFUF). While these are recognized tools in the security community, the volume and variety of sources represent a large supply-chain surface.
  • [CREDENTIALS_UNSAFE]: The skill instructs users to store sensitive authentication data, including passwords, session cookies, and API keys, in a local 'creds.md' file. While intended for local use during the engagement, storing plain-text secrets in project directories is a risk factor.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data gathered during reconnaissance (page content, technology fingerprints, crawled URLs) and feeds this information into specialized sub-agents for analysis. This creates an attack surface where a malicious target could provide content designed to influence the agent's behavior.
  • [DATA_EXFILTRATION]: By design, the skill sends numerous probes and exploit payloads to external network targets. While results are stored locally, the agent's core function involves significant external network interaction and data transmission.
  • [PRIVILEGE_ESCALATION]: The Docker environment is configured with 'sudo' access for the 'pentester' user without a password. The host-side shim facilitates execution with these elevated privileges inside the container environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 11, 2026, 05:05 PM