The Agent Skills Directory

[COMMAND_EXECUTION]: The Python script scripts/agent.py is vulnerable to command injection. The run_cmd function utilizes subprocess.run(shell=True), and the find_suid_binaries function directly interpolates the evidence_root variable into a shell string via an f-string. Since evidence_root is derived from an external command-line argument (sys.argv[1]), a malicious actor could provide a path containing shell metacharacters (e.g., ; rm -rf /) to execute arbitrary commands on the system.
[DATA_EXPOSURE]: The skill is configured to systematically collect and read extremely sensitive Linux system files. This includes /etc/shadow (password hashes), /etc/sudoers (privilege configurations), and private SSH authorized_keys. While relevant to forensics, this behavior constitutes a high risk of data exposure if the agent is manipulated into targeting a live system rather than an isolated forensic image.
[PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection because it processes untrusted data from a potentially compromised system's logs and history files without sanitization or boundary markers.
Ingestion points: Files like .bash_history, /etc/crontab, and systemd service files are read into the agent's context for analysis.
Boundary markers: There are no delimiters or specific instructions to the agent to disregard malicious commands embedded within the artifact data.
Capability inventory: The agent possesses the capability to execute shell commands through the logic in scripts/agent.py and the workflows in SKILL.md.
Sanitization: The script performs no escaping or validation of the text content retrieved from forensic artifacts before processing it.

analyzing-linux-system-artifacts