Skip to content

[BUG] Agent fails to use credentials from --instruction and misses unauthenticated services #322

New issue
New issue
Open
Open
[BUG] Agent fails to use credentials from --instruction and misses unauthenticated services#322
@mason5052

Description

@mason5052
mason5052
opened on Feb 22, 2026

Description

Two related issues with how Strix handles target analysis when given instructions:

Issue 1: Credentials in --instruction not used for authentication

When providing credentials via --instruction, the agent fails to actually authenticate and test post-auth surfaces.

Steps:

strix -n -t http://10.1.1.81:30080 -m standard   --instruction "This is a Grafana dashboard. Default credentials may be admin:prom-operator. Test for: auth bypass, SSRF, XSS, API enumeration."

Result: Report states "all attempts resulted in 401 Unauthorized responses indicating credential issues." The agent never successfully authenticated despite being given valid credentials.

Expected: Agent should parse credential hints from instructions, attempt login (POST /api/login for Grafana), and proceed with authenticated testing.

Issue 2: Unauthenticated Docker Registry not flagged as vulnerability

When scanning an unauthenticated Docker Registry v2 API:

strix -n -t http://10.1.1.81:30500 -m standard   --instruction "Docker Registry v2 API. No auth configured. Test for: unauth image pull/push, catalog enumeration."

Result: Report mentions "MANIFEST_UNKNOWN errors" but does NOT flag the unauthenticated registry as a vulnerability. Zero vulnerabilities reported.

Expected: An unauthenticated Docker Registry allowing GET /v2/_catalog and image pull without any auth should be flagged as HIGH/CRITICAL. The instruction explicitly stated "No authentication is configured" but the agent did not treat this as a finding.

Issue 3: IP scan findings not captured in vulnerability tracker

When scanning an IP address:

strix -n -t 10.1.1.81 -m quick

Result: Report text mentions missing security headers, unsecured Docker Registry, and open services -- but the vulnerability counter shows 0 and no vulnerability files were generated. The narrative contradicts the vuln count.

Expected: Issues described in the report text should be tracked as formal vulnerability records.

Impact

  • Authenticated testing effectively broken when credentials provided via instructions
  • Critical misconfigurations (open registries) go unreported
  • IP scan findings lost between report narrative and vulnerability tracking
  • Exit code shows 0 (clean) when report text describes issues

System Information

  • OS: Amazon Linux 2023 (x86_64)
  • Strix Version: 0.8.1
  • Python Version: 3.12.9
  • LLM Used: openai/gpt-4o-mini
  • Scan Mode: standard / quick

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions