The Agent Skills Directory

[SAFE]: The skill provides legitimate cybersecurity tools for analyzing threat actor campaigns. It follows established analytical frameworks and uses recognized industry libraries.\n- [EXTERNAL_DOWNLOADS]: The skill identifies requirements for well-known cybersecurity libraries (attackcti, stix2, networkx). It also provides example integration with reputable threat intelligence services (MITRE ATT&CK, VirusTotal, PassiveTotal) for data enrichment. These references are documented neutrally as they target trusted or well-known services within the cybersecurity domain.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes external campaign evidence data.\n
Ingestion points: Evidence data is loaded via JSON files in scripts/process.py and processed through various analysis functions.\n
Boundary markers: No explicit boundary markers or 'ignore' instructions for LLMs are present in the structured output generation.\n
Capability inventory: The skill includes functions to write analysis results to the local file system and perform network lookups to the MITRE ATT&CK TAXII server via the attackcti library.\n
Sanitization: The skill parses incoming data as JSON but does not perform content-level sanitization or escaping of the strings within the indicators or descriptions.\n
Risk level: This surface is considered low risk as the analysis logic is primarily mathematical and set-based (overlap scoring, TTP intersection) rather than involving direct interpretation or execution of natural language instructions found within the data.

analyzing-campaign-attribution-evidence