request-smuggling
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill serves as an instructional manual for security professionals or AI agents performing authorized security research. It provides detailed HTTP payload examples, testing methodologies, and logic flows for various desynchronization attacks (CL.TE, TE.CL, TE.TE, HTTP/2, and Client-Side Desync).
- [COMMAND_EXECUTION]: While the skill contains code snippets (HTTP requests and JavaScript PoC), these are intended as payloads to be sent to a target system during testing, not as commands to be executed on the host environment.
- [EXTERNAL_DOWNLOADS]: The skill references established open-source security tools on GitHub (e.g., Burp Suite extensions, defparam/smuggler, h2csmuggler) as recommendations for the user. It does not contain instructions to automatically download or execute these tools on the agent's host.
- [PROMPT_INJECTION]: The 'AI LOAD INSTRUCTION' blocks are legitimate operational guidelines for the agent and do not contain bypass or override patterns.
Audit Metadata