The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The agent.py script communicates with multiple well-known security intelligence and enterprise platforms, including VirusTotal (www.virustotal.com), MalwareBazaar (mb-api.abuse.ch), ThreatFox (threatfox-api.abuse.ch), CrowdStrike (api.crowdstrike.com), and Splunk. These interactions are standard for security orchestration and incident response tools.
[COMMAND_EXECUTION]: The skill implements automated containment capabilities through the isolate_endpoint_crowdstrike function, which allows the agent to network-isolate infected hosts. While this is a high-privilege action, it is contextually appropriate for the skill's stated purpose of malware incident response.
[PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it ingests untrusted data from external security alerts and threat intelligence feeds (e.g., malware family names, file attributes, and IOCs from ThreatFox). These values are interpolated into reports and searches, which could theoretically influence agent behavior if not properly handled by the underlying model's guardrails.
Ingestion points: Malware metadata from VirusTotal and MalwareBazaar, and IOC lists from ThreatFox.
Boundary markers: Not explicitly used in the automated script output or the workflow documentation.
Capability inventory: The skill has the ability to read local files (for hashing), perform network requests to multiple external APIs, and execute endpoint containment via the CrowdStrike API.
Sanitization: The script performs basic quoting when constructing Splunk queries, but does not implement comprehensive sanitization for all external data strings before processing.

conducting-malware-incident-response