The Agent Skills Directory

[SAFE]: The skill communicates with the SOC Compass API (hosted on the well-known Convex platform at astute-cormorant-480.convex.site) to synchronize investigation data. These network operations are core to the skill's purpose and use the Bash tool with curl as specified in the documentation.
[SAFE]: Security-sensitive operations, such as running SIEM queries or VM forensics commands, follow a human-in-the-loop pattern. The agent suggests the commands/queries, but the user is responsible for manual execution and providing the results.
[SAFE]: Credential management follows best practices by requiring a user-provided API key at runtime rather than utilizing hardcoded secrets within the skill's code or configuration.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes untrusted external data (SIEM results and logs) provided by the user.
Ingestion points: User-provided results from Splunk, Elastic, and Sentinel queries (SKILL.md).
Boundary markers: Absent; the agent is directed to parse results and store them in the platform's context directly.
Capability inventory: API interaction via curl to update investigation context and post messages.
Sanitization: No explicit sanitization or validation of the ingested SIEM data is described.

soc-compass