The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses multiple sensitive system paths to identify persistence markers, including /etc/crontab, /var/spool/cron/, /etc/ld.so.preload, and .ssh/authorized_keys. Although this access is intended for auditing, these files contain high-value configuration and user information.
[COMMAND_EXECUTION]: The script scripts/agent.py uses subprocess.run to execute several local system commands for enumeration, such as crontab -l, dpkg -S, and env. It also executes a shell loop via bash -c to iterate through all system users and extract their crontab entries.
[PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because it ingests and processes untrusted data from the filesystem.
Ingestion points: scripts/agent.py reads untrusted strings from user crontabs, shell profiles (.bashrc, .profile), and systemd service units.
Boundary markers: Absent; the script does not wrap ingested system data in delimiters or provide 'ignore instructions' warnings before processing.
Capability inventory: The agent operates with root/sudo privileges and has capabilities for subprocess execution, file system access, and report generation.
Sanitization: Absent; while the script uses regex for detection, it does not sanitize or escape the content of the ingested files before including them in the final JSON report.

analyzing-persistence-mechanisms-in-linux