The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): Multiple scripts in the toolkit are designed to execute local binary files. Specifically, tools/offset_finder.py and the templates (templates/pwn_basic.py, templates/pwn_rop.py) utilize the pwntools library's process() and gdb.debug() functions to run binaries. If an agent is provided a malicious binary to 'analyze' or 'exploit', it will execute that binary on the local system.
[REMOTE_CODE_EXECUTION] (HIGH): The script ghidra_headless/decompile_headless.sh executes the Ghidra analyzeHeadless tool with a custom Java script (DecompileCLI.java). This involves executing code within the Ghidra environment on arbitrary binary inputs.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill is designed to ingest untrusted data in the form of binary files and their metadata.
Ingestion points: Binary files processed by strings, Ghidra, and pwntools (e.g., in USAGE.md, decompile.py).
Boundary markers: None identified. Data is processed as raw streams or strings.
Capability inventory: The skill can execute processes, write files (via mktemp and shell redirects), and perform network requests (via templates/web_requests.py).
Sanitization: None. The toolkit assumes the user wants to see raw output (like decompiled C or string dumps), which an attacker could use to inject instructions into the agent's reasoning loop.
[PRIVILEGE_ESCALATION] (MEDIUM): The script tools/patch_ld_preload.sh facilitates the use of LD_PRELOAD, a technique used to intercept library calls. While intended for exploitation testing, this is a classic mechanism for altering the behavior of privileged processes.
[EXTERNAL_DOWNLOADS] (LOW/INFO): The documentation (USAGE.md, gadgets/one_gadget_notes.md) references external libc databases (e.g., libc.blukat.me, libc.rip) and tool installers (gem install one_gadget). These are standard CTF resources, but the automated scanner correctly flagged libc.so patterns as high-risk in a general context.

pwn-exploits